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PROBABILISTIC  INTERFERENCE  IN 
RESTRICTIVE  SYSTEMS 


1.  INTRODUCTION 

The  notion  of  noainieifesence  was  first  introduced  by  Goguca  and  Mescgucr  [1.2]  to  Formally  specify 
arsd  verify  security  properties.  Their  formalism  allows  a  specifier  to  state  properties  o?  the  form.  Tconunands 
from  the  set  A.  issued  by  users  in  the  set  G.  do  not  interfere  with  users  in  the  set  G’.~  Goguen  and 
Meseguer  showed  that  a  vaz kty  cf  security  policies  (including  label-based  mandatory  access  controls  and 
identity-based  discretionary  access  controls)  could  be  specified  bv  using  this  formalism.  In  addition  to  their 
wide  applicability,  noninterference  assertions  capture  our  intuition  of  security  properties  very  well-  For  these 
reasons,  the  noninterference  formalization  is  very  appealing  as  the  basis  for  a  general  theory  of  security. 

One  problem  with  Goguen  and  Mcsc-guer's  original  formulation  of  noninterference  is  tliai  they  modeled 
computer  systems  as  deterministic  state  machines.  As  discussed  in  Ref.  3,  many  computer  systems  are 
nondcterministic  and  therefore  cannot  be  accurately  modeled  as  deterministic  machines.  Recognizing  this. 
Sutherland  [4j  and  later  McCullough  [3.5j  modeled  computer  systems  as  nondcterministic  state  machines 
and  defined  security  policies  in  terms  of  those  models. 

In  accordance  with  the  view  that  large,  distributed,  secure  computer  systems  should  be  built  by- 
hooking  up  independently  built  and  verified  component  systems,  McCullough  proved  that  his  definition  of 
security,  called  reslncbxeness.  is  composable  (i.e.,  by  hooking  up  two  or  more  restrictive  systems,  a  composite 
system  which  is  restrictive  is  produced). 

Despite  the  advances  made  to  date,  culminating  with  McCullough's  definition  of  restrictiveness,  some 
problems  remain.  First,  verifying  that  a  system  is  restrictive  does  not  show  anything  about  covert  timing 
channels.  Specifically,  high  events  can  interfere  with  the  timing  of  low  events  (e.g.,  response  time)-  This 
timing  interference  can  be  exploited  by  trojan  horses  to  leak  sensitive  information  to  unauthorized  users.  In 
current  practice,  covert  timing  channel  analyses  are  performed  to  find  and  determine  the  threat  associated 
with  these  channels. 

Second,  verifying  that  asystem  is  restrictive  does  not  show  anything  about  probabilistic  channels:  high 
events  can  interfere  with  the  probability  that  a  low  event  will  occur.  As  with  timing  interference,  probabilistic 
interference  can  be  exploited  by  a  trojan  horse  to  reliably  leak  high  information  to  unauthorized  users.  This 
problem  has  been  noted  by  other  researchers  [5,6]  but  has  not  previously  been  addressed. 

Third,  for  the  types  of  interference  that  are  prevented  by  restrictiveness,  the  policy  cannot  be  relaxed 
to  allow  a  small  amount  of  interference.  It  has  been  said  that  computer  systems  “are  often  not  intended 
to  be  completely  secure"  [7j  and  that  any  “real  system  will  have  channels  that  violate  the  noninterference 
policy"  [6].  For  example,  low-bandwidth  covert  channels  may  be  permitted  for  the  sake  of  performance.  For 
this  reason,  restrictiveness  may  be  too  strong  a  property  for  a  real  system  to  satisfy.  In  both  Refs  6  and  7 
recommendations  are  made  to  partially  address  this  problem. 

On  the  one  hand,  rcstrictivcness  does  not  prevent  all  types  of  interference  (viz.,  timing  and  proba¬ 
bilistic  interference;  and  therefore  shuuld  be  strengthened,  on  the  other  hand,  rcstrictivencss  is  too  inflexible 
to  allow  a  small  (i.e.,  somehow  quantified  and  deemed  to  be  sufficiently  small)  amount  of  insecurity  and 
therefore  should  be  weakened. 

The  ultimate  objective  of  our  research  is  to  define  a  security  property  that  completely  captures  the 
notion  of  noninterference  (i.e.,  there  are  no  loopholes  like  covert  timing  channels  that  must  be  addressed 
separately),  and  at  the  same  time  can  be  relaxed  to  allow  some  quantifiable  amount  of  interference.  Fur 
thermore,  this  security  property  must  be  defined  in  terms  of  a  sufficiently  general  system  model  (i.e..  aspects 
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of  na!  systems  sssdi  as  noodctcnoiaaqr  mast  be  itjEtssnlalA:  in  the  modd).  We  hope  that  such  a  prop¬ 
erty  could  be  nai&liciil!!}'  applied  in  ifec  development  os  a  secure  system  to  gain  assurance  Shat  (fee  system 
pmiks  a  specified  Seid  of  proJettira. 

Our  kag-te  approach  fee  achieving  this  objective  is  as  follows.  Our  first  objective  is  to  define 
perfect  noninterference.  By  perfect  noninterference  we  mean  that  a  system  that  is  shown  to  be  perfectly 
noninterfexing  cannot  exhibit  undesirable  interference  of  any  kind.  We  believe  that  only  after  we  fully 
understand  what  it  means  for  a  system  to  be  perfectly  secure,  we  can  properly  define  our  tolerance  for 
insecurity.  Thus,  our  second  objective  will  be  to  generalize  perfect  noninterference  to  allow  a  quantifiable 
amount  (eg..  22  bits/min)  of  interference 

It  is  toward  the  first  objective  denning  perfect  noninterference  that  the  present  work  is  aimed.  In 
this  report,  we  develop  an  extension  to  McCullough's  rest  net  ivencss  that  precludes  probabilistic  interference. 
In  this  report  we  also  restate  McCullough's  state-machine  formalism  and  definition  of  restrictiveness;  we 
present  an  example  system  that  illustrates  the  problem  of  probabilistic  interference.  Then  vve  develop  an 
extension  to  McCullough's  work  that  solves  the  problem  of  probabilistic  interference.  We  present  a  series 
of  examples  designed  to  show  the  application  of  our  extension,  and  an  example  of  a  new  solution  to  the 
so-called  secure  readers-  tenters  problem  [8].  At  the  end  we  discuss  the  composab.lity  of  our  extension,  and 
vve  present  our  conclusions  and  plans  for  future  work. 

2.  RESTRICTIVENESS 

In  Ref.  5  state  machine  restrictivencss  is  formalized  in  the  following  way: 

Definition:  A  state  machine  E  is  given  by  a  six  tuple  ( S.oa-E.I.O.T ).  where  S  is  the  set  of  all  possible 
states,  oo  €  5  is  the  initial  state.  E  is  the  set  of  possible  events.  I  C  E  is  the  set  of  all  input  events.  0  C  E 
is  the  set  of  all  output  events,  and  TCSxExSis  the  set  of  all  possible  state  transitions. 

Definition:  Extended  transitions  are  given  by  ET  CS'aE"  xS  where  (<7j,  (ej, . . .  ,en_i),<r„)  G  ET  if  and 
only  if  some  sequence  of  states  <T2-.----.0n-i  exists,  such  that  (<T„e„aI+i)  €  T  for  all  i,  0  <  i  <n. 

Definition:  Let  ~  be  an  equivalence  relation  on  states  of  a  system  E  (specifying  which  states  appear  to  be 
the  same  state  from  the  point  of  view  of  a  particular  user)  and  i  be  a  subset  of  E  (specifying  which  events 
of  Y  arc  visible  to  that  user).  Wo  call  (v.  ~)  a  projection  of  the  system  E. 

The  following  condition  for  restrictiveness  is  exactly  the  same  as  McCullough's,  restated  in  a  more 
compact  form.  The  condition  that  must  be  satislicd  for  a  given  projection  to  be  restrictive  is  stated  in  lao 
parts.  Intuitively,  part  (1)  says  that  invisible  inputs  do  not  affect  the  visible  part  of  the  state,  part  (2)  says 
that  the  invisible  part  of  the  state  does  not  affect  whether  or  not  visible  events  occur. 

Definition:  The  projection  {v,  ~)  is  restrictive  for  E  if  the  following  condition  holds. 


Let  o\)  be  an  arbitrary  transition  of  E. 

(1)  x  e  I  -  v  =$>  o\  «  o\  and 

(2)  Va2  €  S,o\  « <72  *  (3 o'  e  5) (37  6  E‘) 

[(2a)  (<72, 7, *2)  SET, 

(2b)  <72  «cr;, 

(2c)  x  €  /  =s»  7  =  (x), 

(2d)  x  e  (( E  -  I)  -  v)  =>  7  €  (( E  -  I)  -  v )*,  and 

(2c)  x  €  ((E  -  I)  (lr)  =>  (371,72  €  ({E  -I)-  u)*)(7  =  7iA(*)A*ft]]- 

Although  McCullough  docs  not  give  an  “unwinding  theorem’",  this  condition  is  analagous  to  the 
unwound  versions  of  noninterference  given  in  Refs.  2  and  6. 
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3.  PROBABILISTIC  INTERFERENCE 

In  tbe  previous  definition.  (2)  intuitively  says  that  the  invisible  part  of  the  state  dots  not  interfere 
with  whether  or  not  a  particular  visible  event  can  occur.  However,  it  does  not  say  that  the  invisible  part 
of  the  state  does  not  interfere  with  the  probability  with  which  a  particular  visible  event  will  occur.  For 
example,  consider  tbe  following  system  that  keeps  track  (via  its  internal  state)  of  the  most  recent  input,  and 
from  any  state  nondeterministicaily  outputs  either  Out 0  or  Outl. 

Let  El  be  tbe  state  machine  given  by  ( StoctE.I%OtT ),  where 

S=  {0,1} 

tr0=  0 

B  =  {InO.  Ini.  OutO,  Outl) 

7  =  {InO.  Ini} 

0=  {OutO.  Outl} 

T  =  {{OJnO.O),  (O./nl.  1),  (0,0uf0,0):  (O.Outl.O),  (l,ln0,0),  (1,/nl,  1),  (1,  OutO._  1),  (1,  Outl.,  1)}. 

According  to  the  definition  of  T,  in  cither  state  0  or  1  the  system  can  nondetcrministicallv  output 
OutO  or  Outl.  However,  suppose  that  when  an  output  occurs  in  state  0,  95%  of  the  time  it  is  OutO.  and 
only'  5%  of  the  time  it  is  Outl.  And  when  an  output  occurs  in  state  1,  95%  of  the  time  it  is  Outl.  and  only 
5%  of  the  time  it  is  OutO.  These  probabilities  cannot  be  represented  in  McCullough's  formalism,  therefore, 
they  do  not  affect  whether  or  not  the  system  is  restrictive. 

Theorem  1:  Define  the  equivalence  relation  ~  by  o\  ~  <j->  for  all  states.  <j\  and  (i.e..  the  user  cannot 
distinguish  state  0  from  state  1).  Let  v  =  {OutO,  Outl}  (i.e.,  the  user  can  see  outputs  but  not  inputs).  The 
projection  («,«)  is  restrictive  for  El. 

Proof:  Let  {a\.x,a[)  be  an  arbitrary'  transition  of  SI. 

Since  o\  «  oy  for  all  o\  and  oy, 

(1)  x  €  I  —  v  =>  o\  «  a\ 
is  trivially  true. 

Let  <72  be  an  arbitrary  state  such  that  o\  ss  <72.  We  must  show  that 

(2)  (Bffj  6  5)(3y  €  S’) 

[(2a)  {a2,i,a'2)  e  ET, 

(2b)  <72&(t[, 

(2c)  x  €  I  =>  7  =  (x), 

(2d)  xe({E-I)-v)=>ie((E-I)-vy, 

(2c)  x  €  {{E  -  I)  n  v)  =$•  (371,72  £  (( E  -I)-  u)*)[7  =  7iA(*)A72)]- 

There  are  four  cases. 

Case  1:  x  =  InO.  Choose  <72  =  0  and  7  =  (7n0).  Then  (2a)  [{02, 7,(72)  £  ET]  holds,  since  in  either  state  InO 
may  be  received,  after  which  the  state  will  be  0;  (2b)  (o2  ~  oj)  holds  since  o\  ~  02  for  all  <7i  and  (72, 
(2c)  x  €  I  =$•  7  =  (x)  holds  since  7  =  (7n0)  =  (x);  and  (2d)  and  (2e)  hold  trivially  since  x  £  (E- 1). 

Case  2:  x  =  7nl.  Choose  <7^  =  1  and  7  =  <7nl).  Then  (2a)  (2e)  all  hold  by  similar  arguments. 
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Case  3:  x  =  OutO.  Choose  =  d2  and  7  =  (OutO).  We  have  two  subcases. 


Case  3.1:  <r2  =  0.  In  this  case.  95%  of  the  time,  OutQ  will  be  output,  so  (<t2,7, 02)  €  •ET  ® tnjc- 

Case  3.2:  rr2  =  1.  In  this  case,  5%  of the  time,  OutQ  will  be  output,  so  (tr2,7,  <*2)  €  EF  is  true.  Therefore, 
(2a)  holds;  (2b)  again  holds  since  o\  ~  <r2  for  all  <r%  and  <r2;  (2c)  and  (2e)  hold  trivially  since 
x  £  I  and  (2d)  holds  since  7  =  (OutO)  =  (1)  and  x  €  ((E—J)~v)  =>  (x)  G  ((E— /)—«)*. 

Case  4:  x  =  Oull.  Choose  <ri  =  <r2  and  7  =  (Ouil).  Then  (2a)-(2e)  hold  by  similar  arguments. 

Thus,  («,«)  is  restrictive  for  El.  Q 

We  would  like  this  theorem  and  proof  to  show  that  the  inputs  In  0  and  Jnl  do  not  interfere  with  the 
outputs  OutQ  and  Outl.  However,  95%  of  the  time  the  outputs  accurately  convey  which  input  was  the  most 
recent  one. 

What  the  theorem  actually'  says  is  that  the  inputs  InO  and  Ini  interfere  only  with  the  invisible  part 
of  the  system  state,  and  that  the  invisible  part  of  the  state  does  not  interfere  with  whether  or  not  visible 
events  can  occur.  The  security’  problem  arises  because  the  invisible  part  of  the  state  does  interfere  with  the 
probability  with  which  visible  events  occur.  Thus,  a  noisy  but  potentially  dangerous  (and  potentially’  high 
bandwidth)  channel  can  exist  in  a  system  that  is  shown  to  be  restrictive.  We  call  this  problem  probabilis¬ 
tic  interference.  McCullough  [3,9]  gives  examples  of  probabilistic  interference  to  illustrate  that  deducibility 
security  [Sutherland  86]  does  not  rule  out  all  insecure  systems.  McCullough  also  states  that  rcstrictiveness 
“disallows  all  kinds  of  definite  channels  (ones  that  don't  involve  probabilistic  inferences),^  [5]  where  “prob¬ 
abilistic  inferences”  appears  to  mean  what  we  term  probabilistic  interference.  The  problem  has  also  been 
noted  in  Ref.  6,  where  they  ignored  nondeterminism  and  thus  did  not  address  the  problem. 

4.  FORMALIZING  THE  PROBABILITY  OF  EVENTS 

In  this  section  we  incorporate  probabilistic  concerns  into  the  treatment  of  state  machines  and  restric¬ 
tiveness,  and  then  reconsider  El,  the  example  system  from  the  previous  section. 

4.1.  State  Machines 

We  modify  McCullough’s  formalization  of  state  machines  as  follows. 

A  state  machine  E  is  given  by  a  six  tuple  (S,ao,E,I,0,T),  where  S  is  the  set  of  all  possible  states, 
cro  is  the  initial  state,  E  is  the  set  of  possible  events,  I  C  E  is  the  set  of  all  input  events,  O  C  E  is  the  set 
of  all  output  events,  and  T  C  S  x  E  x  S  x  [0, 1]  is  the  set  of  all  possible  state  transitions. 

The  meaning  of  (cri,e,<72,p)  €  T  is  as  follows: 

•  If  e  6  E-I,  then  whenever  the  system  is  in  state  <T\,  the  system  will  engage  in  c  and  transition 
to  02  with  probability  p. 

•  If  c  6  /  then  whenever  the  system  is  in  state  <7i,  the  system  will,  with  probability  p,  attempt 
to  accept  e  and  transition  to  cr2.  If  the  environment  is  not  offering  e  (e.g.,  a  user  has  not 
entered  e),  then  on  this  attempt  the  system  will  perform  the  null  transition  (i.e.,  the  system 
will  transistion  from  <7i  to  cri  without  engaging  in  any  visible  event). 

This  action  of  a  system  attempting  to  accept  an  input  can  be  thought  of  as  polling:  The  system 
checks  whether  the  environment  is  ready  to  provide  the  input,  if  the  environment  is  ready,  then  the  system 
accepts  the  input  and  makes  its  transition;  if  not,  then  the  system  docs  nothing. 

This,  method  of  obtaining  input  can  hinder  good  system  performance  (e.g.,  due  to  busy  waiting), 
therefore,  for  performance  purposes  the  preferred  method  of  obtaining  input  is  with  interrupts  However 
for  our  purpose  of  preventing  interference,  interrupts  can  cause  problems.  For  example,  if  a  high  subject 
can  interrupt  a  system  that  interacts  with  a  low  subject,  the  high  subject  can  interfere  (probabilistically 
and/or  temporally)  with  the  low  subject  by  varying  the  frequency  of  its  interrupts.  By  using  the  polling 
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of  obtaining  inputs,  a  system  when  it  will  accept  an  input  and  tints  has  complete  control 

aver  whether  high  inputs  interfere  with  low  outputs.  Ear  this  reason,  we  chose  to  include  only  the  polling 
method  of  obtaining  input  in  oar  system  model. 

Another  effect  of  the  polling  method  is  that  it  is  no  longer  necessary  for  systems  to  be  input  total 
(Le.,  a  system  can  decide  not  to  accept  an  input  and  the  input  may  be  lost).  Therefore,  in  this  report  we 
do  not  require  that  systems  be  input  total.  Thus,  there  are  systems  (which  are  not  input  total)  that  are  not 
restrictive  but  do  satisfy  our  definition  of  security. 

Even  though  the  polling  method  of  obtaining  inputs  is  more  suitable  for  security  purposes,  cases  exist 
where  interrupts  are  useful  and  do  not  cause  security  problems  (e.g.,  a  user  interface  that  interacts  with 
a  single  user  at  a  single  security  level  could  be  driven  by  interrupts  from  the  keyboard),  therefore  a  fully 
general  system  model  should  include  facilities  for  specifying  and  reasoning  about  interrupts. 

Note:  For  the  probabilities  of  events  to  make  sense,  the  sum  of  the  probabilities  of  all  next  possible  events 
should  equal  1.  However,  for  security  purposes,  we  do  not  need  to  make  this  requirement  on  systems.  We 
consider  feasibility  for  implementation  to  be  a  separate  issue  from  security.  Thus,  a  specification  of  a  system 
may  be  shown  to  be  secure  and  at  the  same  time  be  impossible  to  implement  as  specified. 

4.2.  P-Restrictiveness 

In  this  section  we  incorporate  constraints  on  probabilistic  interference  into  McCullough's  state  machine 
restrictiveness.  First  we  formalize  the  probability  that  the  system,  starting  in  state  01,  will  (with  respect  to 
the  projection  (v, «))  appear  to  engage  in  the  event  x  and  transition  to  state  a2. 

Definition:  Let 


p  such  that  (crj ,  x,  <r2)  p)  €  T, 

0, 


if  such  a  p  exists; 
otherwise. 


Now,  for  a  given  projection  («,  ~),  define  P{v,x)  :  5  x  £  x  5  -♦  [0, 1]  as 


P(v,»)(°ux,o 2) 


E  P(* if  x  €  w; 
E  P(°u*'y3) 

x'eB-vand 


This  definition  is  an  integral  part  of  the  definition  of  P-restrictiveness,  and  so  we  would  like  to  point  out  a 
few  subtleties. 

First,  note  that  the  probabilities  of  all  transitions  from  o\  (i.e.,  only  o\)  to  any  state  equivalent  to  o2 
are  summed.  This  means  that  P{v^){o\,x,a-i)  is  the  probability  that  the  system  will,  from  oq,  transition 
on  x  (or  any  invisible  event  if  x  is  invisible)  to  a  state  equivalent  to  o2.  The  reason  for  defining  this 
way  (rather  than  as  the  probability  that  the  system  will,  from  any  state  equivalent  to  oq,  transition  on  . . .) 
should  be  clear  after  the  definition  of  P-restrictiveness  has  been  presented. 

Second,  note  that  for  an  invisible  event  x,  the  summation  includes  transitions  on  any  invisible  event. 
This  is  because  from  the  point  of  view  of  the  projection  (u,«),  any  two  transitions  from  <T|  to  equivalent 
(with  respect  to  «)  states,  that  engage  in  invisible  (with  respect  to  v)  events  will  appear  to  be  the  same. 

Third,  note  that  the  second  case  applies  for  all  x  $  v.  This  means  that  for  an  x  that  is  not  in  E  (i.e.. 
not  even  a  possible  event  of  the  system),  P(v,^)(pux,a2)  may  be  positive.  Again  this  is  due  to  the  point  of 
view  of  the  projection  ( 1  «).  To  a  user  with  projection  (v,  ~),  a  possible  system  event  that  is  not  in  r  and 
another  event  that  is  not  even  a  possible  system  event  will  appear  the  same— they  are  both  invisible. 
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Now  we  present  our  extension  to  McCullough's  definition  of  restrictiveness. 

Definition:  Let «  be  an  equivalence  relation  on  states  of  a  system  E,  and  v  be  a  subset  of  E.  The  projection 
(t?,»)  is  pmbalnhty-exteTtded-iTstriciwe  (P-restrictive)  if  the  following  condition  holds. 

Letoi.oJ  €  S  be  arbitrary  states,  x  €  £  be  an  arbitrary  event,  and  p  €  (0,1]  be  a  nonzero  probability. 
6  T  implies 

(1)  x  €  I  -  v  =*  o\  w  <rj,  and 
^*{*^s)(<rijX,oJ)  =  p  implies 


(2)  V<r2  es,<n*a2=>  e  S)(3y  e  E), 


[(2a)  P^){°2,y,<J2)  =  V, 

(2b)  Oj  *  oj, 

(2c)  x  €  /  =*•  y  —  x, 

(2d)  x  €  ((£  —  /)  —  v)  =>■  y  6  ((E  —  I)  -  v),  and 
(2e)  x€  ((E-I)Dv)  =>  y  =  xj. 


We  made  this  initial  statement  of  P-restrictiveness  to  emphasize  its  similarities  and  differences  with 
McCullough’s  definition  of  restrictiveness.  The  differences  are: 

•  The  antecedent  of  (1)  is  changed  from  (<T|,x,<7j)  €  T  to  (<tj,x,<tJ,p)  E  T.  This  extension 
corresponds  to  the  extension  of  the  state  machine  formalization. 

•  In  the  antecedent  of  (2)  and  within  (2a),  (<r, x,  o')  €  T  is  changed  to  P(„  ~) (<r,  x,  o')  =  p. 
This  modification  represents  the  addition  of  constraints  on  the  probabilities  with  which  events 
occur. 

•  Within  (2),  the  event  sequence  7  is  changed  to  the  event  y  (e.g.,  there  is  a  loss  of  transitive 
closure  in  (2d)).  The  motivation  for  this  change  is  to  simplify  the  statement  and  application 
of  P-restrictiveness  (viz.,  we  avoid  computing  the  probability  of  the  occurrence  of  arbitrarily 
long  sequences  of  events  and  avoid  computing  the  sum  of  infinite  sets  of  probabilities  of  event 
sequences).  This  modification  has  the  unfortunate  consequence  that  some  systems  that  are 
restrictive  and  that  do  not  contain  any  probabilistic  interference  are  not  P-restrictive  (i.e., 
P-restrictiveness  excludes  more  systems  from  the  1  *  of  all  restrictive  systems  than  just  the 
ones  that  exhibit  probabilistic  interference).  In  section  5,  we  further  extend  our  state  machine 
model  and  definition  of  P-restrictiveness,  which  somewhat  alleviates  this  problem. 

Largely  because  of  the  subtleties  of  the  definition  of  P(v,a)  >  this  condition  for  P-restrictiveness  can  be 
restated  in  the  following  logically  equivalent  but  simpler  form. 

Theorem  2:  Let  «  be  an  equivalence  relation  on  states  of  ?,  system  E  and  v  be  a  subset  of  E.  The 
projection  ( v , «)  is  P-restrictive  if  the  following  condition  holds. 

Let  01,  crj  €  5  be  arbitrary  states,  x  €  E  be  an  arbitrary  event,  and  p  €  (0, 1)  be  a  nonzero  probability. 

(1)  (<Ti,x, o[,p)  E  T  and  x  E  I  -  v  =$>  01  «  o\  and 

(2)  V<J2  E  5, <71  «  <72  =*>  P(„,«)(<r l,*,<7i)  =  P(v,*)W 2,X,o[). 
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Proof:  Assume  that  for  any  states  o\  and  0}  G  S,  any  event  x  G  E,  and  any  nonzero  probability  p  G  (0, 1], 

(1)  (<Ji,x,<7,1,p)  G  T  and  x'G  I  —  v  =»  <j\  «  a\  and 

(2)  Va2  6  S,<J\  «  02=>  P<„,«)(<7i,x,0{)  = 

We  must  show  that  the  following  holds: 

Let  0i,0i  G  5  be  arbitrary  states,  x  G  E  be  an  arbitrary  event,  and  p  G  (0, 1]  be  a  nonzero  probability. 
(01,  x,  a'i,p)  G  T  implies 

(!')  x  G  I  —  v  =$■  ffi  m  and 


P{v,  =  P  implies 

(2')  V02  €  5,0i  «  02  =►  (302  G  S)(3y  G  £) 


[(2a')  P{v^)((J2,y,02)  =  P, 

(2b')  02«ffi, 

(2c')  x  €  I  =>  y  =  x, 

(2d')  x  G  ((£  -  I)  -  v)  =S>  y  G  ((£  -  /)  -  v),  and 
(2e')  x  G  (( E  - 1)  D  v)  =*■  y  =  x]. 

1'  follows  directly  from  1.  By  choosing  a’2  =  0}  and  y  =  x,  2a'  through  2e'  follow  directly  from  2.  [) 

Demonstrating  that  the  original  condition  for  P-restrictiveness  (as  stated  in  the  definition)  implies  the 
condition  in  theorem  2  (i.e.,  demonstrating  that  the  two  conditions  are  in  fact  logically  equivalent)  requires 
the  use  of  the  definition  of  P{v,&),  but  it  is  also  straightforward.  The  simplified  condition  for  P-restrictiveness 
given  in  theorem  2  (in  addition  to  being  easier  to  understand)  makes  the  proof  of  P-restrictiveness  easier. 

4.3.  El  Reconsidered 

In  the  probability  extended  state  machine  formalization  of  the  previous  section,  El  can  be  defined  by 
(5, 00,  E,  I,  O,  T),  where 

S=  {0,1}, 

00=  0, 

E=  {JnO,  Jnl,  OutO,  Outlj, 

/=  {JnO./nl}, 

O  =  {OutO, Outl},  and 

T  =  {(0, JnO, 0,  .25),  (0,  Jnl,  1,  .25),  (0,  OutO,  0,  .475),  (0,  Outl,  0,  .025),  (1, JnO, 0,  .25),  (1,  Jnl,  1,  .25), 
(1,  OutO,  1,  .025),  (1,  Outl,  1,  .475)}. 

Theorem  3:  Let  v  =  {OutO, Outl}.  There  does  not  exist  an  equivalence  relation,  «  on  states  of  El,  such 
that  the  projection  (u,«)  is  P-restrictive  for  El. 

Proof:  Since  the  occurrence  of  InO  and  /nl  can  change  the  state  of  the  system  from  1  to  0  and  from  0  to 
1,  respectively,  and  InO  and  Ini  are  not  members  of  u,  for  (1)  to  hold,  the  equivalence  relation  %  must  be 
defined  by  01  «  02  for  all  01  and  02  €  S. 

Therefore  we  only  need  to  show  that  given  «  is  defined  by  01  «  02  for  all  01  and  02  £  5,  (u,«)  is 
not  P-restrictive. 
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By  die  definition  of P, 

=  y '  P{o,Outo,ffj) 

Since  0  is  the  only  state  Ojrsudi  that  P{o,6m,a'a)  is  nonzero,  and  p(o,outo,<»i)  =  -475, 

><».*>  (0,Oti«),0)  =  . 475 

Also  fay  the  definition  of  P, 


P{v,K)(l,Out0,0)  =  Yj  P(i,Outo,„') 

<riwl 

Since  1  is  the  only  state  a'2  such  that  P(i,Outo,a'2)  is  nonzero,  andp^outo,^)  —  -025, 

•P(«.«)(l,Out0,0)  =  .025 

Since  0  «  1,  and  P^Vits)(0,OutQ,0)  =  .475  ^  .025  =  P(u,«>(l,Out0,0),  (v, «)  cannot  be  P-restricti’ 
for  Si.  Q 

5.  DENIAL  OF  SERVICE 

This  section  presents  an  example  of  how  nondeterminism  can  be -used  to  prevent  denial  of  servic 
First,  a  denial  of  service  problem  is  given.  A  restrictive  solution  is  presented  that  contains  a  probabilist 
covert  channel  and  is  not  P-restrictive.  Then,  an  alternative  solution  is  presented  that  prevents  denial 
service  and  is  also  P-restrictive. 

By  this  series  of  examples,  we  hope  to  show: 

(1)  Systems  that  may  appear  to  be  reasonable  and  are  restrictive,  can  contain  probabilistic  cove 
channels. 

(2)  A  useful,  nondeterministic  system  can.  be  shown  to  be  P-restrictive. 

(3)  Nondeterminism  can  be  used  to  prevent  denial  of  service  without  introducing  insecurities. 


5.1  The  Secure  Readers -Writers  Problem 

Consider  the  following  simplified  version  of  the  secure  readers-writers  problem  [8].  A  single  proce: 
controls  access  to  a  single  object.  There  are  two  users  called  “hi”  and  “lo”.  User  hi  wants  to  issue  sequena 
of  commands  of  the  form  “begin  read”,  “read”,  “read”,  ...  “read”,  “end  read”.  User  lo  wants  to  issi 
sequences  of  commands  of  the  form  “begin  write”,  “write  (Object)”,  “write  (Object)”, . . .,  “write  (Object)' 
“end  write.”  (where  (Object)  is  the  value  to  be  written  to  the  controlled  object).  The  integrity  requiremei 
is:  If  the  controlled  object  is  modified  (with  a  successfully  executed  “write  (Object)”  command)  sometin 
during  a  “begin  read”,  “read”,  “read”, ...  “read”,  “end  read”  sequence  then  user  hi  must  be  notified.  In  th 
way,  user  hi  will  be  alerted  that  the  object  may  not  have  been  in  a  consistent  state  during  the  sequence  c 
reads  and  may  retry  the  sequence.  The  security  requirement  for  this  problem  is  that  commands  issued  t 
hi  may  not  interfere  with  the  outputs  seen  by  lo. 

Note:  This  problem  has  been  simplified  from  the  general  readers-writers  problem  (as  it  appeared  i 
Ref.  8)  in  two  ways: 
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(1) ;;in  the'  general  problem  there  is  mbfe-thar.  one  object,  and 

(2)  in  the  general  problem  there  are  more  than  two  users.  In  particular  there  may  be  more  than  one 
writer,  and  so  there  would  be  an  additional  integrity  requirement  to  prevent  more  than  one  current 
writer. 

5.2  A  Small  Modification  to  the  Model 

Before  presenting  solutions  to  the  secure  readers-writers  problem,  there  is  an  extension  to  our  model 
of  state  machines  that  we  wish  to  make. 

A  state  machine  £  is  given  by  asix.tuple  (S,&o,E,I,0,T)  where  S  is  the  set  of  all  possible  states, 
(To  is  the.  initial  state,  E  is  the  set  of  possible  events,  I  C  E  is  the  set  of  all  input  events,  O  C  E  is  the  set 
of  all  output  events,  and  T  C  S  x  E*  x  S  x  [0, 1]  is  the  set  of  all  possible  state  transitions. 

Definition:  Let 


P(<n>7,<72)  —  ■ 


.(  p  such  that  (<7i,7,<72,p)  €  T, 

0, 


if  such  a  p  exists; 
otherwise. 


Now,  for  a  given  projection  (v, «),  define  P(Vt&)  :  S  x  E*  x  S  [0, 1]  as, 


I  a'^a-x 


s 

7'€£-vand 

a'3aa2 


P(o  i.7>i) 


if  7  €  v; 
if  7  £  v. 


Definition:  The  infix  function  | :  E*  x  p{E)  -*  E*  (called  restriction),  where  p(E)  is  the  powerset  of  E,  is 
defined  recursively  as  follows:  For  any  set  of  events  El  C  E, 

01^1  =  0 


and  for  any  x  6  E  and  any  7  €  E*, 


if  x  e  El; 
otherwise. 


Definition:  Let «  be  an  equivalence  relation  on  states  of  a  system  S  and  v  be  a  subset  of  E* .  The  projection 
( v , «)  is  P-restrictive  if  the  following  condition  holds. 

Let  €  5  be  arbitrary  states,  7  €  E*  be  an  arbitrary  event  sequence,  and  p  €  (0, 1)  be  a  nonzero 
probability. 

(1)  (<71,7, cr'i,p)  €  T  and  7  |  /  {)  and  7  $  v  =>  v\  «  <rj 

(2)  V<72  €  S,(J\  ^(72  =r-  1  >  7>  ^l)  =  P(v,tt){(*2t 

We  use  this  state  machine  formalization  and  definition  of  P-restrictiveness  throughout  the  remainder 
of  this  report. 

McCullough’s  state  machine  formalization  and  restrictiveness  can  be  similarly  generalized  to  allow 
transitions  on  atomic  sequences  of  events  as  follows. 
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Dcfintioa:  A  stmtc mmddmt: £ i c pvn  fcy»J«  tuple {Sr0^EJTOrT%,  wfcne SkikMcfJ 
states,  <r«  €  S  k  the  burial  state,  £  Is  the  set  «f  pasriMe  ere**,  /  g  £  k  ike  set  .*ff  aaBD  input  O  <£  £ 

is  the  ret  of  all  output  create,  and  T  C  5  ss  E"  ss  S  ic  the  ret  of  al  pmutMe  state  tomtit  raw: 

DHiiritinn:  Extended  t  nutritious  are  jpvr*  by  ET  £  S  sc  £*  *  5  where  €  JET  if  are! 

only  if  there  frirt*  some  wqmste  of  states  sm h  that.  {0^.0,  w|  CTfceal  *,(»<*<*•- 1. 

Definition:  L(t  %leai«]uidnmrd^kaiMM4ii»4asT^iw^a^rka^««M  nf£*.  TkpMfnma 
(tf,a)  is  restrictive  for  E  if  the  Mkaring  tmtdrtk*  holds. 


let  (<ri,7,flj)  be  am  arbitrary  (nutrition  of  EL 

(1)  7 €t>/  and  s; «rj  and 

(2)  Vo2  €  $>«  **2  =»  (3*i  £  S)(3Y  £  ET) 

[(2a)  fe.Y,«£)€Er, 

(2b) 

(2c)  T&-I  and  7  £  n  =*  Y  = 

(2d)  7^  »  =>  7'  £  (£*  -t)*.  and 

(2e)  ?£►/  and  7£*=^  Py^T,  £  ((E -  /)•  - r)-)fir/  =  7,  *7*7-*]!. 

5.3  Existing  Solutions 

Solutions  for  the  secure  readers- writers  problem  that  use  event,  counts  have  appead  in  the  literature 
since  1974  {10-12).  and  [8j.  These  solutions  allow  the  writer  to  start  writing  at.  any  time:  regardless  of  whether 
a  reader  is  currently  reading.  This  prevents  all  interference  with  Iwr  outputs  by  high  inputs:  However,  it 
has  the  unfortunate  consequence  that  writers  can  deny  service  to  readers  by  frequent,  writing. 

The  following  solution  is  equivalent  in  effect  to  these  event  count  solutions. 

Let  £2  be  the  state  machine  given  by  (S.  <Tq.  E.  /.  O.  T).  where 

5  =  (0. 1}  x  (0. 1}  x  object  x  integer  x  integer 

The  state  of  this  system  is  made  up  of  two  Boolcans.  one  object  (we  assume  that  the  tvpc  object  is 
previously  defined)  and  two  integers.  To  make  the  system  easier  to  describe  and  to  understand,  wc  refer  to 
the  components  of  a  state  a  by  the  following  mnemonics: 

a.LoLock :  boolean 
a.HiWaiting :  boolean 
a.O :  object 
o.EvcntCount :  integer 
o.HiStartRcad :  integer 

The  initial  state  of  the  system  is  given  by: 

oo-LoLock  =  false  (Note:  false  means  0.  true  means  1} 

an. II  {Waiting  =  false 

oo-0  —  null 

OQ.EvcntGounl  =  0 

cro-HiStartRcad  =  0 

E  =  { BeginRcad ,  OKioRcad,  Read ,  EndRcad,  RcadSucccss f ill,  RcadFailcd.  BeginWritc, 
OKtoWritc,  ObjcctWriltcn,  ObjectNolWritlen ,  EndWritc,  WrilcSucccss J  ul,  c}  U  object  U 
{  write  o  |  o  £  object } 
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/  =  {BtfjhtKtmdr  Remd,  EwUttmd?  BtghtWrileT  fMW'nfe)  II  {  Write*  Qn$  abject} 

O  =  \OKt&R*mdTR£m4Swm*xfitl, R*mJF*utd,0KlM'rilt'TOij*tci  Wvitt<tMr€ftj*Kfa44Writla£T 
WrHeSmxtssf «l)  SJ  object 


T  —  {  fa  f WjV  o'.  .143)  |  o'  =  o  except.  nfJffiVmiimg  —  true}  t? 

{  fa  (OKliyRxaJ},  o',  .143)  |  aJOWmitiMg  —  tree  and  o.IoLont  =  fate  and  o'  ss  o  eaorepa 
rfMiW ruling  —  fate  and  «rl'.UiStmrtR<tmd  =  a.EnmtCmmt }  HE 
B  fate  or  ff.LuL&k  —  true) } U 

{  (o;  (Remdr o),  o_ .  143)  |  a = 0.0}  |> 

{  fa{EwiRemd.  ReimiSnaoe*sfnI}r0.A43\  \  aJUStmriRfcmd  =  rr.ErrutCmnaS  )  U 
{  (of-  {EndRr.»4r  Rrm4Fmilrii>.  or,  -143)  |  or.// iStmrtRtad  j£  trJErentCrmnt }  U 

{  («r.  {BegiitWrite,OKtM'rite}fa .  .143)  j  o'  =  o  except  a* -Luljork  =  true  and 
0* .EnentCmmt.  —  er.ErmlComnl  -f  1 }  U 


{(o.0lrrrfeo.0l^ecfllrr£ffen).n'..143)  g  o.£o£«at  =  true  and  o£  object  and 
o'  =  o  except  o'.O  ==  oj  U 

{  (<r,  (llrrf/e  o.  ObjtctX t/tWritlcn).  a.  .14-1)  g  G.LoLock  =  fate}  U 
{  (o.  (EndWrilc.  WriteSutaotss f  ad),  o',  .143)  g  o'  ss  o  except  o’.LoLock.  =  false  }. 


Note:  the  set  {  (o.(<).o.-143)  |  {tr.HiW ailing  —  false  or  a.LoLodt  —  true)}  is  included  in  T  so  that  £2 
will  be  P-iestricthe. 

Theorem  4:  Let  £2*  =(S^£',/',0',T')  where  5*  =  S,  o'  =  o„,  E  =  JE,  /'  =  J,  O’  =  O,  and 
T  =  {(oJs7,o2)  |^p€(0,l]  such  that  (oi,7,o2,p)  €T}. 

let  ~  be  defined  In': 

For  all  o  and  o',  o  «  o'  if  and  only  if 
a.LoLock  =  o'.LoLock, 


and  let 

v  =  {(Z?egmIFri/c,  OKtoWritc).  {EndWritc.  WritcSucccssf  vl)  }  U  {  {Write  o,  ObjcctWrilten) 
|  o  €  object }  U  {  ( Write o. ObjcctNotWrittcn)  j  o  6  object }. 

The  projection  (u.ss)  is  restrictive  for  £2'. 

Proof:  Let  (oi,7,oj)  be  an  arbitrary'  transition  of  £2'. 

Wc  must  show  that: 

(1)  7  Q>  I'  and  7  £  v  =>  aj  =  a\  and 

(2)  Vo2  G  S',01  ~<x2=>  (3</2  G  5')(3-/  G  £'*) 


[(2a)  (02,7',^)  G  ET, 

(2b)  a2  ~  a\ . 

(2c)  7  S>  I'  and  7  G  w  =>  7'  =  7, 


11 


NHL  REPORT  9315 


m  1 1 « *#■  y  €  -  *j%  »«i 

(2e)  awd  ?€r=»  (3^.7* €  (^"  —  *$*)![/  =? 7»  ^l^TzIlJ- 

To  dmr  (I),  we  eaww  (he  dtihulwa  rfF  to  find  all  7  such  that  (<15,7/;)  €  T*  and 
7  £6»f  and  7  f  r.  Ik  examination  nrank  that  there  are  four  such  7  :  (BeginRtad),  illrnd.o). 
(EndRead.  ReadSmaxssfnI),  and  (EndRead.  ReadFailgd).  We  eoender  the  four  cases  individually. 

Can*  1:  7=  (BeginRead). 

The  only  state  transitions  that  accept  Begin  Read  as  input  are  given  by: 

{  (<r.  {Be gin  Read),  a)  \  a  —c  except  of .H Waiting  =  true} 

Thus.  a\=(Ti  except  g/l.HHVaiUng  —  true.  And  by  the  definition  oi~.  ffj  ~  crj . 

Case  2:  *=  (Rcad.a). 

The  only  state  transitions  that  engage  in  (Read,  0}  arc  given  by: 

{ (<r. (Read. o),o)  j  0  =  o.O } 

Thus  there  is  no  change  in  state,  and  so.  a\  ~  a\. 

Case  3:  x  =  (EndRead,  RcadSuccessful). 

The  only  state  transitions  that  engage  in  (EndRead,  ReadSuccessfvi )  arc  given  by: 

{  (a.  (EndRead,  RcadSvccess fut),a)  j  o.H iStartRead  =  o.EvcntCount } 

Thus  there  is  no  change  in  state  and  so.  Oj  w  o\ . 

Case  4:  x  =  (EndRead,  RcadFailed ). 

The  only  state  transitions  that  engage  in  (EndRead,  RcadFailed)  arc  given  by: 

{  (a,  ( EndRead , ReadFailed ),  0)  j  o.HiStartRcad  r  o.EvcntCount } 

.  Thus  there  is  no  change  in  state  and  so,  01  zzo\. 

Therefore,  (1)  holds. 

Now,  to  show  (2),  let  02  be  an  arbitrary  state  such  that  o\  «  02-  We  must  show  that 

(3o'2  6  S')(3V  €  £'*) 

[(2a)  (o2,i ,o'J)  £  ET , 

(2b)  o’2 

(2c)  7  €£>/'  and  7  6  u  =>  7*  =  7* 

(2d)  7  $  u  =s-  7'  6  (£'*  -  u)*,  and 

(2c)  7  0>/'  and  7  £  v  =>  (37u72  S  (£'*  -  u)*)^/  =  7ja7a72]]. 

By.cxamination  of  T',  the  transitions  of  E2'  are  described  by  ten  sets  of  transitions  unioned  together. 
By  showing  (2)  for  all  10  sets  we  will  have  shown  (2)  for  all  transitions.  We  consider  the  10  sets  in  10 
separate  cases. 
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Cafe  I:  (tf»,7-0i)  €  {  (a.  (BeginRcad}.a')  |  Y  =  0  except  o'.HWciting  =  true} 

Choose  =  <r2  except  d¥.H Waiting  —  true.  Choose  Y  =  7.  Nov,  (ffjtf.ffi)  € 

{ (0, (Begin Read}. o’)  \o’  =  o  except  o’.HWciting  =  true} 

so  (2a)  bolds;  by  the  transitivity  of  «,  (2b)  bolds;  since  Y  —  7r  (2c)  holds:  and  (2d)  and  (2e) 
bold  vacuously  since  7  ©>/'  and  7  G  r-  Therefore.  Case  1  holds. 

Case  2:  (01.7,  Y)  £  {  (0.  (OKtoRcad),  o’)  |  o.HiWaiting  =  true  and  o.LoLock  -  false  and  0'  = 
o  except  o’. HiW citing  =■  false  and  o’. HiStartRcad  =  o.EventCount] 

Suppose  that  o2Hi\Vaiting  —  true.  Then,  choose  <4  -  <t2  except  o^.H Waiting  =  false 
and  o^.HiStartRead  =  o2.EventCount.  Choose  V  =  7.  Now,  (02,  Y € 
{(<r,{Oft'toflea<0:ff/)  I  a. HiW  citing  =  true  and  o.LoLock  =  false  and  o'  =  a  except 
o’. H Waiting  =  false  and  o’. HiStartRcad  =  o.EventCount] 

so  (2a)  holds;  %  the  transitivity  of  (2b)  holds;  since  Y  =  1-.  (2c)  holds;  and  (2d)  and  (2c) 
hold  vacuously  since  7  €>/'  and  7  G  u- 

On  the  other  hand,  suppose  that  a2.H Waiting  =  false.  Then,  choose  </2  =  o2  and  choose 
Y  =  (<)-  Now-,  (02,  Y,<4)  G  {  (0,  (e),  0)  J  ( o.HiWaiting  =  false  or  o.LoLock  —  true) } 
so  (2a)  holds;  by  the  transitivity  of  x,  (2b)  holds;  (2c)  and  (2e)  hold  vacuously  since  7  v: 
and  (2d)  holds  since  Y  €  (£'*  -  «)*-  Therefore,  Case  2  holds. 

Case  3:  (01,7.0!)  €  {  (0,  (c),<r)  |  ( o.HiWaiting  =  false  or  o.LoLock  —  true) } 

This  case  is  analogous  to  Case  2. 

Case  4:  (01,7,01)  G  { (0,  {Read,  o),  a)  |  o  =  o.O  } 

Choose  02  =  02-  Choose  Y  =  (Read,  o')  where  o'  =  02-O.  Now,  (o2, 7',  0^)  G 
{  (0,  (BeginRead),  o')  |  0'  =  0  except  o'.HWaiting  =  true  } 

so  (2a)  holds;  by  the  reflexivity  and  the  transitivity  of  ~,  (2b)  holds;  (2c)  and  (2e)  hold 
vacuously  since  7  $  v,  and  (2d)  holds  since  Y  G  (£'*  -  u)*.  Therefore,  Case  4  holds. 

Case  5:  (01,7,  0!)  G  { (0,  ( EndRead ,  ReadSuccessful),  0)  |  o. HiStartRcad  =  o.EventCount } 

Suppose  that  o2. HiStartRcad  =  o2.EvcntCount.  Then,  choose  02  =  02-  Choose  7'  =  7. 
Now,  (02)Y)02)  €  {(0,  (EndRead,  ReadSuccessful), 0)  |  o.HiStartRead  =  o.EventCount } 
so  (2a)  holds;  by  the  transitivity  of  «,  (2b)  holds;  (2c)  and  (2e)  hold  vacuously  since  7  $  v; 
and  (2d)  holds  since  Y  €  (£'*  -  u)*. 

On  the  other  hand,  suppose  that  o2.HiStartRead  ^  o2.EventCount .  Then,  choose  d2  =  o2 
and  choose  7'  =  (EndRead,  ReadF ailed) .  Now,  (02,7',  00)  € 

{ (0,  (EndRead,  ReadFailed),  0)  |  o.HiStartRead  £  o.EventCount } 

so  (2a)  holds;  by  the  transitivity  of  a,  (2b)  holds;  (2c)  and  (2e)  hold  vacuously  since  7  $  v, 
and  (2d)  holds  since  7'  G  (£'*  -  v)’.  Therefore,  Case  5  holds. 

Case  6:  (01,7,0!)  S  { (0,  (EndRead,  ReadFailed), o)  |  o.HiStartRead  ^  o.EventCount } 

This  case  is  analogous  to  Case  5. 
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Case 7:  (01.7,0^)  €  { (ot (BeginWrite, OKtoWrite)^)  [o'  —  a except o’.LoLock  —  true  and 
o’  .EventCount  =  o.EventCount  + 1 } 

Choose  <*2  —  02  except  oH.LoLock  =  true  and  <r2* .EventCount  =  o2. EventCount  + 1. 
Choosey  =  7-  Now,  (02,y,02)  €  { (0.  (BeginWrite,  OKtoWrite) ,  o')  |  o’  =  a  except 
o’.LoLock  —  true  and  o'.EventCount  =  o. EventCount  + 1 } 

so  (2a)  holds;  since  o\.LoLock  =  true  =  o^.LoLock,  (2b)  bolds;  since  V  =  7,  (2c)  holds;  and 
(2d)  and  (2e)  hold  vacuously  since  7  6>/'  and  7  €  w.  Therefore,  Case  7  holds. 

Case  8:  (01,7,01)  €  {  (0,  (Write  o,  ObjcctWritten),  o')  \  o.LoLock  =  true  and  o  €  object  and 
o’  =  0  except  o’.O  =  0} 

Choose  02  =  02  except  o2f.O  =  o.  Choose  y  =  7.  Now.  since  02  ~  01,  02-LoLock  =  true 
and  (<r2,y,<^)  € 

{  (0,  (Write  o, ObjcctWritten), o’)  ]  o.LoLock  =  true  and  o  €  object  and  o’  =  0  except 
o'.0  =  o} 

so  (2a)  holds;  by  the  transitivity  of  «,  (2b)  holds;  since  y  =  7,  (2c)  holds;  and  (2d)  and  (2e) 
hold  vacuously  since  7  €>/'  and  7  €  v.  Therefore,  Case  8  holds. 

Case  9:  (01, 7, crj)  €  {  (o,  (Write  o, ObjcctNotW ritten),o)  |  o.LoLock  =  false  } 

Choose  <4  =  02-  Choose  7'  =  7.  Now,  since  02  «  01,  02-LoLock  =  false  and  (02,  y ,  02)  € 

{ (0, (Write o,QbjectNotWritten),o)  |  o.LoLock  =  false} 

so  (2a)  holds;  by  the  transitivity  of  ~,  (2b)  holds;  since  y  =  7,  (2c)  holds;  and  (2d)  and  (2e) 
hold  vacuously  since  7  Q>/'  and  7  €  w.  Therefore,  Case  9  holds. 

Case  10:  (01,7,01)  €  { (o,  (EndWrite,  WriteSiiccessfvl),  o')  \  o'  =  0  except  o'.LoLock  =  false} 

* 

Choose  02  =  02  except  o2'.LoLock  =  false.  Choose  7'  =  7.  Now,  (02, 7',  02)  6 
{ (0,  (EndWrite,  WriteSuccessful),o')  \  o'  =  o  except  o'.LoLock  =  false} 
so  (2a)  holds;  since  o(.LoLock  =  false  =  02,  (2b)  holds;  since  7'  =  7,  (2c)  holds;  and  (2d)  and 
(2e)  hold  vacuously  since  7  Q>  I'  and  7  £  u.  Therefore,  Case  10  holds. 

Thus  (2)  holds  and  (v,«)  is  restrictive  for  E2'.  0 

Theorem  5:  Let  «  be  defined  by: 

For  all  0  and  o',  0  «  0'  if  and  only  if  o.LoLock  =  o'.LoLock 
and  let 

v  =  {( BeginWrite ,  OKtoWrite),  (EndWrite,  WriteSuccessful) }  U  { (Write  o,  ObjectWritten)  |  o  £ 
object }  U  {  ( Write  0,  ObjectNotWritten)  |  0  £  object } 

The  projection  (v, «)  is  P-restrictive  for  E2. 

Proof:  Let  01  and  0j  €  S  be  arbitrary  states,  7  €  E*  be  an  arbitrary  event  sequence,  and  p  £  (0, 1]  be  a 
nonzero  probability. 

We  must  show  that: 

(1)  (01,7, o(,p)  €  T  and  7 1 1  #  0  and  7  $  v  =>  01  «  o\  and 

(2)  V02  £  S,  0i  «  02  =» 

(01,7,01)  =  -P<t,,«)(02,7,0i)- 
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To  show  (1),  we  examine  the  definition  of  T  to  find  all  7  such  that  (oi,7,oJ,p)  €  T  and 
7. 1  /  #  0  7  ^  ®-  The  examination  reveals  that  there  are  four  such  7  :  { BeginRead ),  {Read.  o), 

{End Read.  ReadSuccessful) ,  and  {EndRead,  ReadFailed).  We  consider  the  four  cases  individually. 

Case  1:  7  =  {Begin Read). 

The  only  state  transitions  that  accept  BeginRead  as  input  are  given  by: 

{ {a; {BeginRead), o', .143)  {o'  =  0  except o'.HiWaiting  =  true } 

Thus,  o\  —  o.  except  o'.HiWaiting  =  true.  And  by  the  definition  of  o\  ~  o’. 

Case  2:  x  =  (Read,d). 

The  only  state  transitions  that  engage  in  {Read,  o)  are  given  by: 

{ {a,  {Read,  o),o,  .143)  |  o  =  o.O  }. 

Thus  there  is  no  change  in  state,  and  so,  o\  «  o'. 

Case  3:  x  =  {EndRead,  ReadSuccessful) . 

The  only  state  transitions  that  engage  in  {EndRead,  ReadSuccessful)  are  given  by 

{ (o,  ( EndRead ,  ReadSuccessftd),  a,  .143)  |  o.HiStartRead  —  o.EventCount }. 

Thus  there  is  no  change  in  state  and  so,  o\  «  o'. 

Case  4:  x  =  {EndRead,  ReadFailed). 

The  only  state  transitions  that  engage  in  (EndRead,  ReadFailed)  are  given  by 

{ (0,  ( EndRead ,  ReadFailed),  a,  .143)  |  o.HiStartRead  ^  o.EventCount }. 

Thus  there  is  no  change  in  state  and  so, 

Therefore,  (1)  holds. 

Now,  to  show  (2),  let  o2  be  an  arbitrary  state  such  that  ox  «<r2.  We  must  show  that  P{v~}  (ffi ,  7,  )  = 


We  have  two  major  cases:  7  €  v  and  7  ^  v. 

Case  1:  7  6  v. 

According  to  the  definition  of  v,  there  are  four  different  event  sequences  7  6  v  for  which  we 
must  show  the  above  equality.  We  proceed  with  one  subcase  for  each  of  these  event  sequences. 

Case  1.1:  7  =  (B eginW rite,  OKtoW rite). 

By  examination  of  T,  the  transitions  that  can  engage  in  7  are  given  by: 

{ (cr,  7,  o',  .143)  |  o'  =  cr  except  o'.LoLock  =  true  and  o' .EventCount  =  o.EventCount  +  1 } 

Suppose  o'.LoLock  =  true.  There  exists  exactly  one  o'  €  5  such  that  o'  -  o\  ex¬ 
cept  o'.LoLock  =  true  and  o'  .EventCount  =  o\.EventCount  +  1.  Since  o'.LoLock  = 
true  =  o'.LoLock,  o\  «  o'  and  therefore,  /><„,«)('ri,7,cr'1)  =  .143.  By  similar  reasoning, 

P{v,*){a 2, 7.^1)  =  -143.  Hence,  P(v^)(o.-i,o'{)  =  P{v,*)(o2,l,o[). 
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Suppose,  on  the  other  hand,  that  a[.LoLodc  =  false.  In  this  case,  there  does  not  exist  a  o’ 
such  that  o'  =  o\  except  o'. LoLock  =  true  and  o' .EvcntCount  =  oi-EvcntCount+l.  And  so. 

1*7,^)  =  0.  And  by  similar  reasoning,  P{v^){a2./yta\)  =  0.  Hence  again, 
-P{r^e)(ffj,7»Oi)  =  P{vss)(?2t'riO !)-  Therefore,  Case  1.1  bolds. 


Case  1.2:  7  =  ( Write  o,ObjectWritten )  for  some  object  o. 

By  examination  of  T,  the  transitions  that  can  engage  in  7  are  given  by 

{  (&, 7, o', .143)  |  a.LoLock  =  true  and  o'  —  o  except  o'.O  =  o}. 

Suppose  that  o\.LoLock  =  o'^. LoLock  =  true.  There  is  exactly  one  state  o'  such  that  o’  —  o\ 
except  o' .O  =  0.  Since  (04,  ( Write  o,  ObjectWritten), o',  .143)  is  thus  a  member  of  the  above 
set  and  o'  »  o\,  P(v,x){o\,^,o'l)  =  .143.  By  the  same  reasoning  (since  01  ~  tr2  and  hence, 
a2.LoLock  =  o[.  LoLock  =  true  also),  P(»,«)(^2,7,ffi)  =  -143.  Hence,  P(»,a:)(ffjJ7,oJ)  = 
P(r.«)(^2,7,ni)- 


On  the  other  hand,  suppose  that  a  x. LoLock  =  false  or  o'1.LoLock  =  false.  In  this  case, 
there  does  not  exist  a  o'  ~  Oj  such  that  o  1  .LoLock  —  true  and  o'  —  oj  except  o’ .O  — 
o,  and  so,  P(v,ta){pu'h<ri)  =  Similarly,  since  ox  a;  o2  and  so  o2-LoLock  =  ox. LoLock, 
P{v,^){.02,7,°'i)  =  0.  Hence,  again  P<„l!S)(0i,7,0i)  =  P<„)J8)((72,7,<7j).  Therefore,  Case  1.2 
holds. 

Case  1.3:  7  =  {Write  o,ObjectNotWritten)  for  some  object  o. 

By  examination  of  T,  the  transitions  that  can  engage  in  7  are  given  by: 

{ -143)  |  -1 o.LoLock }. 

Suppose  that  o\. LoLock  =  o\ .LoLock  =  false.  Then,  (01,7,01,.  143)  is  a  member  of  the 
above  set  and  01  ~  o{,  and  so  P{Ui»)(cri,7, o[)  =  .143.  By  the  same  reasoning  (since 
oi  w  o2  and  hence,  o2. LoLock  =  o[.LoLock  =  false  also),  P(ViSt){o2,y,  <rj)  =  .143.  Hence, 
P{«vs)(ffi,7.<7i)  =  P<v,«)(<7 2,7X)- 

On  the  other  hand,  suppose  that  o\.LoLock  =  true  or  o[. LoLock  =  true.  In  this  case,  either 
(01,7,01,.  143)  is  not  a  member  of  the  above  set,  or  01  o[,  and  so,  P(v,ss)  (04 , 7,  o[ )  =  0. 

Similarly,  since  o\  w  o2  and  so  o2. LoLock  =  o\. LoLock,  P{v,ss){o 2,7,0$)  =  0.  Hence  again, 
P<ivb)(ct1i  7,o$)  =  P(u,w)(<72i7i^,i)-  Therefore,  Case  1.3  holds. 


Case  1.4:  7=  ( EndWrite,WriteSuccessful ). 

By  examination  of  T,  the  transitions  that  can  engage  in  7  are  given  by 

{ (o,  7,  o' ,  .143)  |  o'  =  0  except  o'. LoLock  =  false  }. 

Suppose  o[. LoLock  =  false.  Then,  there  is  exactly  one  state  o'  such  that  o'  =  o\  ex¬ 
cept  o'. LoLock  =  false.  Since  o\.LoLock  =  false  =  o'. LoLock,  o\  «  o'  and  there¬ 
fore,  P{v,«>(oi,7,<r'i)  =  .143.  By  similar  reasoning,  P<„,«)  (02,7,0$)  =  .143.  Hence, 
.  P{v^){oul,o[)  =  P(v,s*)  (02,7,  0$). 

Suppose,  on  the  other  hand,  that  o[. LoLock  —  true.  In  this  case,  there  does  not  exist  a 
o'  «  oj  such  that  o'  =  oi  except  o'. LoLock  =  false.  And  so,  P{v,=»)  (01,7,0$)  =  0.  And 
by  similar  reasoning,  P^,*)  (02,7,0$)  =  0.  Hence  again,  P(„,a> (01,7,0$)  =  P(v^){o2,l,o\). 
Therefore,  Case  1.4  holds,  and  so  Case  1  holds. 


16 


J.  W.  GRAY  m 


Case  2:  7  ^  v. 

We  divide  this  case  into  two  subcases:  <rj  as  and  a\^adx. 

Case.  2-1:  01  «  crj 

By  the  definitions  of  T,  u.  and  as,  it  can  be  shown  that  for  any  possible  transition  (0,7.1/ ,p) 
where  7  is  an  invisible  event  sequence,  it  is  the  case  that  a  as  o'  (i.e.,  for  any  7'  £  Em  -  v. 
M.y2!p)  e  T  implies  oj  as 
Now,  by  the  definition  of  P, 


P<*,=)(oi,7,o,1)  =  £  P(«r,,V,<Tj) 

•y'6£*-uand 

Since  07  s»  and,  for  any  7 — n,  (oi^jO^.p)  €  T  implies  01  ~  ^  (as  noted  above), 
the  above  equation  can  be  simplified  to 


^W=>  fa  >7,01)=  J]  P(<r,,y,^)  =  P{  «,*)  (01 ,  ■ 7,  Oj  ) 

-t'eE'-v 


Claim:  Given  that  7  $  u,  for  any  o  6  5,  P{Ulas)(o,  7,0)  =  .572. 


Justification:  Given  any  state  o,  (1)  the  event  ( BeginRead )  can  occur  with  probability 
.143;  (2)  The  event  (Read,o)  can  occur  with  probability  .143;  (3)  Either  ( OKtoRead )  or 
(e),  but  not  both,  can  occur  with  probability  .143  (depending  on  the  values  of  a.HiWaiting 
and  a.LoLock)-,  and  (4)  Either  (EndRead,  ReadSuccessful)  or  (EndRead,  ReadFailed),  but 
not  both,  can  occur  with  probability  .143  (depending  on  the  values  of  a.HiStartRead  and 
a.EventCount). 

Summing  up  these  four,  P{v^)((r,  7,<r)  =  .572,  regardless  of  the  state  a. 

Therefore,  we  have, 


P(v^){0l,1,0\)  =  P(VtSs){oUWi)  =  P(„,«)(<r2,7,^2)  =  -P<v,«)fa,7>^ 1) 


and  Case  2.1  holds. 

Case  2.2:  ax  56  a\ 

In  this  case,  there  is  no  a'2  «  a{  and  probability  p,  such  that  (o7,7fa)P)  €  T.  So, 
P{u,^>fa>7> a\)  =  0.  Similarly,  since  07  «  ct2  and  so,  <r2  56  a[,  it  can  also  be  shown  that 
P(v,*){a 2,7X1)  =  0.  Thus,  P(„,«)(ai,7,ff,1)  =  P<„,«>fa,7fa)  and  Case  2.2  holds. 

Thus  (2)  holds  and  ( v , «}  is  P-restrictive  for  £2.  [j 
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5.4  A  First  Attempt  at  Preventing  Denial  of  Service 

The  above  solution  has  no  probabilistic  interference.  However,  as  mentioned  previously,  low  writers 
ran  easily  deny  service  to  high  readers  by  writing  frequently.  In  fact,  Reed  and  Kanodia  [8]  point  out  that 
“No  algorithm  can  simultaneously  guarantee  that  readers  will  be  able  to  complete  reading  and  that  readers 
can  never  signal  writers 

A  reasonable  approach  to  partially  solving  this  denial  of  service  problem  is  to  nondeterministically 
decide  whether  to  grant  write  access  to  the  low  writer.  If  the  low  writer  were  not  always  permitted  to  obtain 
write  access,  then  the  high  reader  would  have  a  greater  chance  to  complete  reading. 

A  system  designer  might  (maliciously  or  with  good  intentions)  decide  that  if  a  high  reader  is  currently 
reading,  then  the  low  writer  should  most  often  be  denied  write  access.  Whereas  if  the  high  reader  is  not 
reading,  then  the  low  reader  should  most  often  be  granted  access; 

With  this  strategy  in  mind,  the  following  solution  might  be  advanced. 

Let  S3  be  the  state  machine  given  by  (5,  oq,  E,  J,  O,  T),  where 

S  =  (0, 1}  x  {0, 1}  x  {0, 1}  x  object  x  integer  x  integer. 

We  refer  to  the  components  of  a  state  o  by  the  following  mnemonics: 
o.LoLock :  boolean 
o.HiWaiting :  boolean 
o.HiReading :  boolean 
o.O :  object 
o.EventCount :  integer 
o.HiStartRead :  integer. 

The  initial  state  of  the  system  is  given  by 
o0.LoLock  =  false 
oa.HiW  aiting  —  false 
o0.HiReading  =  false 
o0.0  =  null 
ao.EventCount  =  0 
OQ.HiStartR.ead  =  0 

E  =  {BeginRead,  OKtoRead,  Read,  EndRead,  ReadSuccessful,  ReadFailed,  BeginWrite,  OKtoWrite, 
NotOKtoWrite,  ObjectWritten,  ObjectNotWritten,  EndWrite,  WriteSuccessful,  e}  U 
object  U  {  write  o  \  o  €  object }. 

I  =  { BeginRead ,  Read,  EndRead,  BeginWrite,  EndWrite}  U  {  Write  o  |  o  €  object } 

O  =  {OKtoRead,  ReadSuccessful,  ReadFailed,  OKtoWrite,  NotOKtoWrite,  ObjectWritten, 
ObjectnotWritten,  WriteSuccessful}  U  object 

T  =  { {o,  {BeginRead),  o',  .143)  |  o'  =  o  except  o'.HiWaiting  =  true }  U 

{ (cr,  {OKtoRead),  o',  .143)  |  o.HiWaiting  =  true  and  o.LoLock  =  false  and  o'  =  o  except 

o'.HiWaiting  =  false  and  o'.HiReading  =  true  and  o'.HiStartRead  =  o.EventCount }  U 
{ {a,  (e),'  o,  .143)  |  {o.HiWaiting  =  false  or  o.LoLock  =  true) }  U 
{ (cr,  {Read,  o),o,  .143)  |  o  =  o.O  }  U 

{ (o,  {EndRead,  ReadSuccessful),  o,  .143)  |  o.HiStartRead  =  o.EventCount }  U 
{ (o,  {EndRead,  ReadFailed),  o,  .143)  j  o.HiStartRead  #  o.EventCount }  U 
{ {o,  {BeginWrite,  OKtoWrite), o',  .043)  |  o.HiReading  =  true  and  o'  =  o  except 
o'.LoLock  =  true  and  o' .EventCount  =  o.EventCount  +  1 }  U 
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y  w.  gray  in 

:{;(a,.(BeginWrite,  NotOKtoWrite),  a ,  .1)  [a.HiReading  =  true  }  U 
{(a,(BeginWrite,OkipWrite),a',.l)\  a.HiReading  =  false  ,  and  0'  =  a  except 
o'. LoLock  —  true  and  o' .EventCount  =  a.EventCoiint  + 1 }  U 
{(d,(BeginWrite,  NotOKtoWrite),  a,  .043)  |  a.HiReading  =  false  }  U 
{(a;(Writeo,ObjectWritt*n),o',.143),\ a.LdLock  ■=  true  and  a'  =  a  except  a'.O  =  o}  U 
{ {a,  {Write  o,  ObjectNctWritten),d,  .143)  |  a  LoLock  =  false)  U 
{{o,(EndWrite,  WriteSuccessfxd),a' , .143)  j  a'  =  a  except  o'. LoLock  =  false}. 

Theorem' 6:  Let  £3'  =(S',o'0,E',I',O',T')  where  S'  =  S,  a'0  =  o0,  E'  =  E,  I-  =  I,  O'  =  O,  and 
T1  =  {  (<ri,7,ff2)  |;3p€  (0,lj  such  that  (01,7,021  p)  €  T}. 

Let  w  be  defined  by: 

For  all  a  and  a',  a  ~  o'  if  and  only  if  a.LoLock  =  o'. LoLock 
and  let 

v  =  {( BeginWrite,OKtoWrite),  {BeginWrite, NotOKtoWrite),  (EndWrite,  WriteSuccessful) }  U 
{(Write  o,ObjectWritten)  |  o  6  object }  U  { {Write  o,  ObjectN otWritten)  \  o  €  object }. 

The  projection  (v,  ~)  is  restrictive  for  S3'. 

Proof:  Let  (01,7,01)  be  an  arbitrary  transition  of  £3'. 

We  must  show  that: 

(1)  7  e>I'  and  7  $  v  =>  o-i  «  0}  and 

(2)  Vo-2  €  5', oi  «  02  =>  (302  €  ■S,,)(37'  €  E'*) 

[(2a)  (02,7>2)  €  ET', 

(2b)  02  «0'i> 

(2c)  7  Q>1'  •  i  7  6  v  =>  7'  =  7, 

(2d)  7  $  '  -  7  <=  (S'*  -  u)*,.and 

(2e)  7  0> /'  and  7  €  u  (371,72  €  (£'*  -  w)*)[7'  =  7iA7A72]]- 

(1)  can  be  shown  in  exactly  the  same  way  as  in  the  proof  of  theorem  4. 

Now,  to  show  (2),  let  02  be  an  arbitrary  state  such  that  01  «  o2.  We  must  show  that 

(302  6  S')(37'  €  E'*) 

[(2a)  (o2,i ,o2)  £  ET' , 

(2b)  02  ss  0} , 

(2c)  7  Q>  I'  and  7  €  v  =>  7'  =  7. 

(2d)  7  $  v  =>  7'  €  (S'*  -  «)*>  and 

(2e)  7  0>I'  and  7  €  v  =>  (37i,72  €  (S'*  -  v)*^  =  7iA7A72]]- 

By  examination  of  T',  the  transitions  of  £2'  are  described  by  13  sets  of  transitions  unioned  together. 
By  showing  (2)  for  all  13  sets  we  will  have  shown  (2)  for  all  transitions.  We  consider  the  13  sets  in  13 
separate  cases. 
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Case  1:  {oy,  j,&i)  €  {(0,  (BeginRead),#1)  j  o'  =  a  except  & .HiWaiting  =  true}. 

Choose  a>2  =  02  except  o2' .HiWaiting  =  true.  Choose  V  =  7.  Now,  (cr2,7,,<4)  e 
{{a, {Begin  Read),  o')  |  o'  =  a  except  o'. HiWaiting  =  true} 

so  (2a)  holds;.by  the  transitivity  of  ~,  (2b)  holds;  since  V  =  7,  (2c)  holds;  and  (2d)  and  (2e) 
hold  vacuously  since  7  0>/'  arid'7  €  v.  Therefore,  Case  1  holds. 

Case  2:  (01,7, 0()  €  { (0,  (OKtoRead),^)  \  a.HiWaiting  —  true  and  a.LoLock  =  false 

and  a'  =  a  except  o' .HiWaiting  =  false  and  o'.HiReading  =  true  arid 

o' .HiStartRead  =  o.EventCount }. 

Suppose  that  02. HiWaiting  =  true.  Then,  choose  d'2  =  02  except  o'2.HiWaiting  =  false 
and  o'2.HiReading  =  true  and  o'2. HiStartRead  =  02.EventC0u.nt.  Choose  7'  =  7.  Now, 
(02, 7',  02)  g  { (0,  (OKtoRead),a')  |  a.HiWaiting  =  true  and  a.LoLock  =  false 
and  o'  =  0  except  o'  .HiWaiting  =  false  and  o'.HiReading  =  true,  and 

o'. HiStartRead  =  o.EventCount  }  so  (2a)  holds;  by  the  transitivity  of  «,  (2b)  holds;  since 
7'  =  7,  (2c)  holds;  and  (2d)  and  (2e)  hold  vacuously  since  7  8 >/'  and  7  €  w. 

On  the  other  hand,  suppose  that  o2. HiWaiting  =  false.  Then,  choose  02  =  02  and  choose 
7'  =  (e).  Now,  (02, 7',  02)  €  { (0,  (e),0)  |  {a.HiWaiting  =  false  or  a.LoLock  =  true) } 
so  (2a)  holds;  by  the  transitivity  of  «,  (2b)  holds;  (2c)  and  (2e)  hold  vacuously  since  7  $  v, 
*  d  (2d)  holds  since  7'  G  {E'*  -v)*.  Therefore,  Case.  2  holds. 

Case  3:  (01,7,01)  €  { (0,  (e),0)  |  {a.HiWaiting  =  false  or  a.LoLock  =  true) } 

This  case  is  analagous  to  Case  2. 

Case  4:  (01 ,7,0^)  6  { (0,  {Read,  0) ,  0)  |  0  =  a.O  } 

Choose  02  =  02-  Choose  7'  =  {Read, o')  where  o'  =  02.O.  Now,  (02,  Y,cr2)  G 
{ (0,  (BeginRead),a!)  \  o'  —  a  except  o'  .HiWaiting  =  true} 

so  (2a)  holds;  by  the  reflexivity  and  the  transitivity  of  «,  (2b)  holds;  (2c)  and  (2e)  hold 
vacuously  since  7  ^  u;  and  (2d)  holds  since  7'  G  {E1*  -  v)*.  Therefore,  Case  4  holds. 


Case  5:  (01,7,01)  £  { (0,  {EndRead,ReadSuccessful),a)  |  a. HiStartRead  =  o.EventCount } 

Suppose  that  o2.HiStartRead  =  02-EventCount.  Then,  choose  02  =  02.  Choose  7'  =  7. 
Now,  (02,7',  02)  € 

,  {.(0,  { EndRead ,  ReadSuccessful),  a)  j  a. HiStartRead  =  o.EventCount } 

so  (2a)  holds;  by  the  transitivity  of  «,  (2b)  holds;  (2c)  and  (2e)  hold  vacuously  since  7  £  v\ 
and  (2d)  holds  since  7'  G  {E'*  -v)*. 

On  the  other  hand,  suppose  that  02.HiStartRead  ^  02.EventCou.nt  .  Then,  choose  02  =  02 
and  choose  7'  =  {EndRead,  ReadF ailed).  Now,  (02, 7',  02)  € 

{  (0,  ( EndRead ,  ReadF  ailed),  a)  |  a. HiStartRead  ^  o.EventCount } 

so  (2$)  holds;  by  the  transitivity  of «,  (2b)  holds;  (2c)  and  (2e)  hold  vacuously  since  7^; 

and  (2d)  holds  since  7'  G  {E1*  -v)*.  Therefore,  Case  5  holds. 
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Case  6:  (01,7,0))  G  '{-(0,  ( EndRead,ReadFdiled),a)\  o.HiStartRead  ^  a.EventCount} 

This  ease  is  analagous  to  Case  5. 

Case  7:  (0 1,7,0))  €  {.(0,  ( BeginWrite, OKtoWfite), a ')  j  a.HiReading  =  true  and  a'  =  a  except 
a'.LoLock  =  true  and  o'. EventCount  =  a.EventCount  +  1} 

Choose  02  =  ^2  except  crl'.LoLock  =  true  and  o2' .EventCount  =  a2.EventCount  +  1. 
Choose  7'  =  7.  Now*  if.  02 .HiReadihg  =  true,  then  (a2,j>,a'2)  e 

{'(a,  (Begm^rite,  OKtgWHte),a')  |  a.HiReading  =  true  and  0'  =  a  except  a'.LoLock  = 
'true  and  a' .EventCount  =  a.EventCount  +  1}.  If  a2.HiReading  =  false,  then 
(cr2,')' ,a'2)  €  {( d,  (BeginWrite, OKtoWrite), a ')  |  a.HiReading—  false  and  o'  —  a  except 
a'.LoLock'—  trueand  o'.EventCoxmt  =  a.EventCount  + 1}  so  (2a)  holds;  since  a'vLoLock  = 
true  =  a'2.LoLock,  (2B)-holds;  since  7'  =  7,  (2c)  holds;  and  (2d)  and  (2e)  hold  vacuously  since 
7  e>7'  and  7  6-u.  Therefore,  .Case  7  holds. 

Case  8:  (01,7, a[)  e  { (a,  {BeginWrite,  NotOKtoWrite),  a)  \  a.HiReading  =  true } 

This  case  is  analagous  to  Case  7. 

Case  9:  (01,7,  a[)  G  { (a,  (BeginWrite,  OKtoWrite),  a')  |  a.HiReading  =  false  and  o'  —  a  except 
a'.LoLock  —  true  and  o'  .EventCount  =  a.EventCount  + 1 } 

This  case  is  analagous  to  Case  7. 

Case  10:  (01,7. ^1)  €  { (0,  (BeginWrite, NotOKtoWrite), a)  \  a.HiReading  =  false) 

This,  case  is  analagous  to  case  7. 

Case  11:  (01,7,01)  €  {(0, (Write o,ObjectWritten), o')  |  a.LoLock  =  true  and  o  €  object  and 
o'  =  0  except  a'.O  =  0  } 

Choose  02  =  02  except  o2' .0  =  0 .  Choose  7'  =  7.  Now,  since  02  w  01,  a2.LoLock  =  true 
and  (02, 7',  02)  €  { (0,  ( Write  o,  ObjectWritten),a')  |  a.LoLock  =  true  and  0  G  object  and 
o'  =  o  except  a'.O  =  0}  so  (2a)  holds;  by  the  transitivity  of  «,  (2b)  holds;  since  7'  =  7,  (2c) 
holds;  and  (2d)  and  (2e)  hold  vacuously  since  7  Q>I'  and  7  G  v.  Therefore,  Case  11  holds. 

Case  12;  (01,7,01)  6  { (^  (Write  0,  ObjectN otWritten)  ,0)  \  a.LoLock  =  false  } 

Choose  a'2  =  02.  Choose  7'  =  7.  Now,  since  02  «  01,  a2.LoLock  =  false  and  (02, 7',  02)  € 

{ (a>  (Write  0,  ObjectNotWritten),o)  |  a.LoLock  =  false  } 

so  (2a)  holds;  by  the  transitivity  of  «,  (2b)  holds;  since  7'  =  7,  (2c)  holds;  and  (2d)  and  (2e) 
hold  vacuously  since  7  Q>  I'  and  7  G  u.  Therefore,  Case  12  holds. 

Case  13:  (01, 7,  a[)  G  { (0,  (EndWrite,  WriteSuccessful},  o')  j  o'  =  a  except  a'.LoLock  =  false  } 

Choose  02  =  02  except  a2! .LoLock  =  false.  Choose  7'  =  7.  Now,  (02, 7',  02)  € 

{ (0, ( EndWrite ,  WriteSuccessful), o')  |  o'  =  a  except  a'.LoLock  =  false) 

so  (2a)  holds;  since  o[.LoLock  =  false  =  02,  (2b)  holds;  since  7'  =  7,  (2c)  holds;  and  (2d)  and 

(2e)  hold  vacuously  since  7  e>  /'  and  7  G  v.  Therefore,  Case  13  holds. 

Thus  (2)  holds  and  (v, «)  is  restrictive  for  E2'.  () 

Given  the  three  objectives  that  the  solution  1)  be  restrictive,  2)  limit  denial  of  service,  and  3)  provide 
good  performance,  S3  is  very  reasonable.  However,  213  contains  a  probabilistic  covert  channel. 
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Theorem  7:  Let  «  and  v  be  defined  as  in  the  previous  theorem. 
The  projection  (v, «)  is  not  P-restrictive  for  S3. 


Proof:  Let  <7i  be  a  state  such  that  oi.HiReading  =  true.  Let  o 2  be  a  state  such  that  02.HiRea.ding  = 
false.  Additionally,  suppose  that  o\  zso2. 

Let  o[  =  ox  except  o[.LoLock  =  true  and  o[.EventCount  —  oi.EventCount  + 1.  By  the  definitions  of  P 
andT, 

P{t>,«>(<ri)  {BeginW  rite, OKtoW rite),  o[)  =  .043 

Let  g'2  =  02  except  o'2.LoLock  =  true  and  oi.EventCount .=  02.EventCount  + 1.  By  the  definitions  of  P 
and  T, 

P(v<?a){o2,(BeginWrite,  OKtoW.rite)  ,o'2)  =  .1 


But  since  02  «  o[, 


2)  {BeginW rite,  OKtoW  rite),  o[)  =  P{Vla)(o2,  {B  eginW  rite,  OKtoW  rite)  ,o[)  =  .1 


If  ( v , «)  were  P-restrictive,  then  it  would  be  the  case  that 


P(v,xi)((r I.  ( BeginWrite,OKtoWrite),o{ )  =  P^v^){o2,  (BeginWrite,OKtoWrite),o[) 


Since  they  are  not  equal,  (v, «)  is  not  P-restrictive  for  S3.  [) 

5.5  A  P-Restrictive  Solution 

We  now  develop  a  solution  to  the  secure  readers-writers  problem  that  limits  denial  of  service  and  is 
P-restrictive. 

Let  S4  be  the  state  machine  given  by  ( S ,  oq,  E,  I,  O,  T),  where 
S  =  {0, 1}  x  {0, 1}  x  object  x  integer  x  integer 

We  refer  to  the  components  of  a  state  o  by  the  following  mnemonics: 
o.LoLock :  boolean 
o.HiWaiting :  boolean 
o.O :  object 
o.EventCount :  integer 
o.HiStartRead :  integer 

The  initial  state  of  the  system  is  given  by: 

OQ.LoLock  =  false 
oq.HiW  aiting  =  false 
oq.O  =  null 
oi.EventCount  =  0 
OQ.HiStartRead  =  0 

E  =  {BeginRead ,  OKtoRead,  Read,  EndRead,  ReadSuccessful,  ReadFailed,  BeginWrite, 

OKtoW rite,  NotOKtoWrite,  ObjectWritten,  ObjectNotWritten,  EndWrite,  WriteSuccessful,  e}U 

object  U  {  write  0 1  0  €  object } 
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I  =  {BeginRead,  Read,  EndRead,  BeginWrite,  EndWrite }  U  {  Write  o  |  o  €  object } 

0  ==  {OKtoRead,  ReadSuccessful,  ReadFailed,  OKtoWrite,  NotOKtoWrite,  ObjectWritten, 
ObjectNotWritten,  WriteSuccessful}  U  object 

T  =  {  (<Jj  (BeginRead), a', ;143)  |  o'  =  o  except  o'  .HiWaiting  =  true}  U 

{•(<r,  {OKtoRead,},  o',  .143)  |  o.HiWaiting  =  true  and  o.LoLock  =  false  and  o'  =  o  except 
o'  .HiWaiting  —  false  and  o'  .HiStartRead  =  o.EventCount}  U 
{ (o,(e),o,  .143)  |  {o.HiWaiting  =  false  or  o.LoLock  =  true) }  U 
{ _{o,  {Read,  o),o,  .143)  |  o  =  o.O  }  U 

{ {&,  {EndRead,  ReadSuccessful ),  o,  .143)  |  o. HiStartRead  =  o.EventCount }  U 
{  {o,  {EndRead,  ReadFailed),  o,  .143)  |  o. HiStartRead  ^  o.EventCount }  U 

{;(<r,  {BeginWrite,  OKtoWrite),  o' ,  .71)  |  o'  =  o  except  o'.LoLock  =  true  and 
o' .EventCount  =  o.EventCount  +  1 }  U 
{ {o,  {BeginWrite,  NotOKtoWrite) ,  o,  .71)  |  o  G  S }  U 

{ {o,  {Write  o,  ObjectWritten),  o',  .l'*'*)  |  o.LoLock  =  true  and  o'  —  o  except  o' .0  —  o }  U 
{ (<r,  {Write  o;  ObjectNotWritten),o,  .143)  |  o.LoLock  =  false  }  U 

{ {o,  {EndWrite,  WriteSuccessful), o' , .143)  |  o'  =  er  except  o'.LoLock  =  false). 

E4  limits  denial  of  service  assuming  that  the  low  writer  releases  its  write  lock  (i.e.,  performs  an 
EndWrite)  within  some  reasonable  amount  of  time  after  obtaining 't.  If  we  cannot  make  this  assumption 
(i.e.,  if  the  low  writer  is  possibly  erroneous  or  possibly  malicious),  the.:  the  probability  of  one  of  the  existing 
transitions  can  be  reduced  by  .01,  and  the  following  set  can  be  added  to  T: 

{ (cr,  LockBroken,  o',  .01) )  o.LoLock  =  true  and  o'  —  o  except  o'.LoLock  =  false  }. 

With  this  additional  transition,  the  system  may  at  any  time  break  the  low  writer’s  lock  on  the  object, 
thus  preventing  the  low  writer  from  obtaining  a  lock  on  the  object  and  never  releasing  it. 

£4  (with  or  without  the  additional  set  of  transitions)  contains  no  probabilistic  interference. 

Theorem  8:  Let  «  be  defined  by: 

For  all  o  and  o’,  o  «  o'  if  and  only  if 
o.LoLock  =  o'.LoLock 

and  let 

v  =  {{BeginWrite,  OKtoWrite),  {BeginWrite,  NotOKtoWrite),  { EndWrite , 

WriteSuccess ful }  }  U  {  ( Write  o,  ObjectWritten)  |  o  €  object }  U  {  {Write  o, 
ObjectNotWritten)  \  o  €  object } 

The  projection  {v, «)  is  P-restrictive  for  £4. 

Proof:  Let  o\  and  o[  €  5  be  arbitrary  states,  7  €  E*  be  an  arbitrary  event  sequence,  and  p  €  (0, 1]  be  a 
nonzero  probability. 

We  must  show  that: 

(1)  (cij7>o',i tP)  €  T  and  7  0>7  and  7  £  v  =►  <77  «  o[,  and 
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(2)  Wj  €  £  a,  *  # *  =* 


To show  (l^KOMiKthe  iHUlin  rfTto  find alfMiktkt  Kt/i-I’) €  Tand  7  €>J  and  7  £*■. 
The  ryie^iwi  reveals  tint  there  are  fare  sach  7  :  fflyefadt,  FmifUmd,  RtmlSwm:** /  mt}r 

and--  (JBmiRemi*  BeadFaged).  Ufa  c— ndre  the  fare  eng  nrtmrteJjr 


Corel:  7={3qmlltd}. 

The  «eljr  state  tnMtaet  that  accept  BtfbtRcmd  w  iapH. «  pm  be 

{  (tf,  (BqwBm^y,.m)  «<r'  — <r  except  e/'JIiWmiting  —  tnre} 


That,  except  o,lJHWmttm§  =  tnre.  And  bjr  the  ij’fareine  of  *.  <rx 

Care  2:  x  =  (Remd,o). 

The  only  state  tniit'wr  that  engage  «  (Jfead»  are  pm  be 

{fc(|faf<«)£^.|43)  |o=n4>}. 

Thus  there  is  bo  change  n  state,  and  so,  wj  *flj. 

Care 3:  x=  (EniRtmi,RemdSwxtstfid). 

The  only  state  tiaaritini  that  apy  in  (EndRemd,Re»dSwtxrssfmI)  are  gram  by: 

{  (<r,  {EndRemtL,  RradSaccrssf  ml),  a,  .143)  |  ar.HiStmrtRemd.  —  oEvcntCcmnt 

Thus  there  is  no  change  in  state  and  so,  nj  »«{. 

Case  4:  x  =  {EndRrad,  RradFmilrJ): 

The  only  state  transitions  that  engage  in  (EndRrad,  RradFaxlrd)  are  ghen  In': 

{  (<r,  ( EndRrad ,  ReadFailrd),  a,  .143)  |  oHiStartRrad  tr.EvmlCtmnl }. 

Thus  there  is  no  change  in  state  and  so,  oi  ~  <rj. 

Therefore,  (1)  holds. 


Now,  to  show  (2),  let  <r2  be  an  arbitrary  state  such  that  <7!  as <r2-  We  must  show  that  P(v,~) (<tj ,  7,  )  = 

P(«,*)(^2,7X)- 


We  have  two  major  cases:  7  €  u  and  7  ^  w. 

Case  1:  7  €  w. 

According  to  the  definition  of  v,  there  are  five  different  event  sequences  7  G  v  for  which  we  must  show 
the  above  equality.  We  proceed  with  one  subcase  for  each  of  these  event  sequences. 

Case  1.1:  *7=  (BeginWrite,OKtoWrite). 

By  examination  of  T,  the  transitions  that  can  engage  in  7  are  given  by: 

{ 7.  o’ 1  -71) \o'  =  a  except  a’.LoLock  =  true  and  <f  .EveniCount  =  a.EvcntCount  + 1 } 
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SapfMW  tmk  *  tne.  Tine  cntt  «artk  mk  o'  f  5  such  tint.  /  =  #,«- 
opt  JLmLmtk  *  tne  and  /JEkatCnat.  =  *i.EnrmtC*mmi  i  1.  Sure  oJJLoLw*  =? 
—  **• -Inin**  «J  *  nrf  tinrfm,  IV,*j(***T**i)  =  -71-  By  awnBar  reareuaiig. 

*  -71- 

Suppose.  «  tin  other  hand*  that  a^.Laljark  =  fain  he  this  cast,  there  doer  not  ent  a 
or*  xejsadithate'  =  #j  except  a* -LoLock  =  tnreand  cf JEremtCamMt  =  Oj  .ErcntCtmot— 1. 
Ahd  »,  =  ft.  And  Ir  reuihr  reaming  ^(^e;)  =  0-  Heure  apn 

I’jr^KT/i)  =  I’mKi'i)-  Therefcre,.  Care  1.1  hold*. 

Care  1J£  7  -  (Be§mWriteT  NctOKUM'riU). 

Br  exaninatiin  rf  j.  the  tnnrithnr  that  can  engage  in  7  are  given  br; 

{(^*'?*«*-71)|ff€4?}- 

Suppose  orj  a:  <r,.  Then  /^r.*}(ffi.7,ff|)  =  .71.  By  the  transitivity  of  a:.  a\  ns  tr2  and  so 
JW;(«2-.7Vi)  =  -71.  Hence.  /^(oj^dJ)  -  P(r^(^2-.7.o\). 

Suppore,  on  the  other  hand,  that  o,  56  ^.  Then, ==  0.  Bv  the  transitivity 
of  »,  oi  #  o2  and  so  P(rv*j(o2,7.oJ)  =  0.  Hence  again,  I\r^(0u7.p\)  =  Pir^t(/j2-~S-v\) 

Therefore,  Care  1:2  holds; 

Care  U:  7  =  {Write  o,  OhjcdWrittm)  for  some  object  0. 

By  examination  of  T,  the  transitions  that  can  engage  in  7  are  given  by: 

{(«r,7,</,.143)  |  ff.LoLock  —  true  and  o'  —  a  except  o'.0  =  a). 


Suppose  that  ai-LoLock  =  o\. LoLock  =  true.  There  is  exactly  one  state  o'  such. that  o'  =  oJ 
except  a’.O  =  o.  Since  (oj,  (IFri/e  o,  ObjectWritten),  o',  .143)  is  thus  a  member  of  the  above 
set  and  o'  »  Oj,  f^r,*)(0|,7,oj)  =  .143.  By  the  same  reasoning  (since  01  as  02  and  hence. 
a2.LoLock  =  o\.LoLock  =  true  also).  P(r  ~)(o2,7,o'I)  =  -143.  Hence,  P(p.-,> (01,7.0,)  = 


On  the  other  hand,  suppose  that  Oj .LoLock  —  false  or  a\.  LoLock  =  false.  In  this  case, 
there  docs  not  exist  a  o'  as  o,  such  that  01  .LoLock  =  true  and  o'  =  oj  except  o'.O  — 
o,  and  so,  P(r^)(^is7.^D  =  0.  Similarly,  since  o\  a;  o2  and  so  a2.LoLock  —  a\.LoLock, 
P{v^)(a 2,7, <A)  =  0.  Hence  again,  P(p~)(oj,7,oJ)  =  P{p~)(o2,7,o;).  Therefore,  Case  1.3 
holds. 

Case  1.4:  7=  (Write o,ObjcctNotWritten)  for  some  object  o. 

By  examination  of  T.  the  transitions  that  can  engage  in  7  arc  given  by: 

{  (0,7,0,  .143)  |  a.LoLock  =  false }. 


Suppose  that  oj. LoLock  =  a\. LoLock  =  false.  Then,  (oj,7.oi,.143)  is  a  member  of  the 
above  set,  and  <7\  as  a\.  and  so  P{v,v)(0u'UO\)  =  .143.  By  the  same  reasoning  (since 
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ffi  *  02  aad  koKe,  ojJLoLoek  =  a’l.LoLock  —  bbe  also),  Pj^feif/j)  =  .143.  Hence. 

On  tire  other  band,  suppose  tint  o\.LoLock  =  true  or  d\.LoLotk?=  true.  In  this  case,  either 
(«i*7»<*i»-143)  **  not  *  member  of  the  above  set,  or  <ri  #  «rj,  and  so,  P(r^:>(ffi,7»®i)  —  ®* 

Similarly.  since  oj  as  o%  and  so  o2.LoLock  =  ox.LoLock,  P^){o 2,7,0!)  =  0.  Hence  again, 
=  P(r^)(^2,7,^)-  Tberefote,  Case  1.4  bolds. 

Cane  1.5:  ‘j={EnJSPTitetWriteSiiceessfvl). 

By  examinaiion  qfT,  the  transitions  that  can  engage  in  7  are  given  by: 

{ (0,7,0*, .143)  |  o'  =  <r  except  o'.LoLock  =  false}. 

Suppose  o\.LoLock  =  false.  Then,  there  is  exactly  one  state  o'  such  that  o’  —  o\  ex¬ 
cept  o’.LoLock  —  false.  Since  o'.LoLock  =  false  =  o’.LoLock,  o\  m  o’  and  there¬ 
fore,  P(«'^>(<ri«7,Oi)  ==  -143.  By  similar  reasoning,  P(»,*)(o2»7,oi)  =  .143.  Hence, 
P(*^)(ffli7,^l)  =  P(r^>(^2,7.^)- 

Suppose,  on  the  other  hand,  that  a\.LoLock  =  true.  In  this  case,  there  does  not  exist  a 
o/  »  Oj  such  that  V  =  <Ti  except  o’.LoLock  =  false.  And  so,  P{„>a:)  (01,7,0!)  =  0.  And 
by  similar  reasoning,  P(«r,«)(o2,7,o!)  —  0.  Hence  again,  P(t,,«>  (01, 7,  oj  )  =  P(v,~)  to, 

Therefore,  Case  1.5  holds,  and  so  Case  1  holds. 

Case  2:  7  £t?. 

We  will  divide  this  case  into  two  subcases:  07  «  o!  and  Oi  Oj. 

-Case  2.1:- or  w_o! 

By  the  definitions  of  T,  w,  and  it  can  be  shown  that  for  any  possible  transition,  (0,7,  o',p) 
where  7.  is  an  invisible  event  sequence,  it  is  the  case  that  0  «  o'  (i.e.,  for  any  7'  e  E’  —  v. 
to,y  :o’2,p)  €.T  implies  oj  a:  o'2). 

Now,  by  the  definition  of  P, 


P(v,a)to,'Yi{Tl)  —  ,o'7) 

vand 


Since  crj  a;  crj  and,  for  any  7'  G  J5*  —  o,  to,l',a2,v)  €  T  implies  oj  a;  <72  (as  noted  above), 
the  above  equation  can  be  simplified  to; 


P(„,*)(cr  i,7Vi)=  Y\  P(out',o'2)  =  P(v^)to,l,o\) 

-r'eB'-v 


Claim:  Given  that  7  ^  0,  for  any  cr  €  5,  P(„,«)(o,  7,0)  =  .572. 
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Justification:  Given  any  state  a,  (1)  the  e\ent  {BeginRead)  can  occur  with  probability.143; 
(2)  the  event  { Read,  6 )  can  occur  with  probability  .143;  (3)  either  (OKtoRead)  or  (e),  but  hot 
both,  can  occur  with  probability  .143  (depending  on  the  values  of  a.HiWaiting  and  d.LoLock). 
(4)  either  (EndReqd,ReadSuccessftU)  or  (EndRead,  ReadFailect),  b\it  riot  both,  can  occur 
with  probability  .143  (depending  on  the  values  of  o.HiStartRcad  and  a.EventCount).  Sum¬ 
ming  up  these  four,  P(v~)  fa  1,  &)  =  -572,  regardless  of  the  state  a. 


Therefore,  we  have, 

P(v,^)fan,  »,«)  fault,  )  =  P(v,^)  faz,  7,  ri2)  =P(v,*)  fan,  ) 

and  Case  2.1  holds. 

Case  2.2:  a\  ^  a[ 

In  this  case,  there  does  not  exist  a  d'2  ~  and  a  probability  p,  such  that  (<r\n,o'2 ,p)  6  T. 
So,  P(v,!s)(o i,7,o[()  =  0.  Similarly,  since  <J\  «  a2  and  so,  a2  76  <rj,  it  can  also  be  shown  that 
P{v,a)fa,  7>°i)  =  0.  Thus,  P{v^)fa,l,o[)  =  P(Vt-.)fan,cr[)  Case  2.2  holds. 

Thus  (2)  holds  and  (u,a)  is  P-restrictive  for  E4.  [) 


6 .  Composing  Systems 

It  is  desirable  for  P-restrictiveness  to  be  composable  (as  is  restrictiveness).  To  show  that  P- 
restrictiveness  is  composable  requires  a  formalization  of  the  composition  of  probability-extended  state  ma¬ 
chines.  However,  there  is  not  only  one  way  to  define  this  coiriposition.  The  main  difficulty  we  encountered 
in  defining  the  composition  of  machines  was  how  to  treat  time.  On  the  oiie  hand  timing  considerations  can 
affect  the  probabilities  of  events.  For  example,  consider  two  systems:  system  A  simply  outputs  a  continuous 
sequence  of  l’s  and  system  B  simply  outputs  a  continuous  sequence  of  0’s.  When  these  two  systems  are  com¬ 
posed,  the  composite  system  outputs  a  continuous*  nondeterministic  sequence  of  l’s  and  0’s.  The  probability 
that  the  composite  systein  will  output  a  1  at  any  given  state  of  the  system  is  based  on  the  relative  speeds  at 
which  the  component  systems  operate.  On  the  other,  hand,  time  is  not  represented  in  our  model.  Therefore, 
we  have  no  way  to  model  the  composition  of  probability-extended  state  machines  in  a  fully  general  way. 

In  future  work,  we  may  incorporate  the  notion  of  time  into  the  current  model.  In  so  doing,  it  may  be 
possible  to  incorporate  constraints  on  timing  interference  (which  is  not  constrained  at  all  in  the  present  work) 
as  well  as  allow  us  to  properly  define  the  composition  of  systems  and  demonstrate  the  general  composability 
of  P-restrictiveness. 

In  the  meantime,  we  offer  the  following  limited  result.  In  the  following  sections,  the  simple  composition 
of  probability-extended  state  machines  is  defined  and  P-restrictiveness  is  shown  to  be  composable  under 
simple  composition.  In  defining  the  simple  composition  of  machines,  we  assume  that  the  composed  machines 
operate  at  an  identical,  constant  rate.  This  is  a  reasonable  assumption  in  some  applications  (e.g.,  two 
machines  executing  the  same  software  on  the  same  hardware  at  the  same  clock  speed). 

6.1  The  Simple  Composition  of  Systems 

Let  A  =  (Sa,s0a,Ea,Ia,Oa,Ta)  and  B  -  (Sb,s0b,Eb,Ib,Ob,Tb)  be  two  state  machines.  Pro¬ 
vided  that  EaC\  Eb  =  0,  we  define  the  simple  composition  of  A  and  B,  denoted  A\\B,  as  the  machine 
(, S,s0,E,I,O,T ),  where 


S  =  SAxSB 
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s0  =  («0j4>«0b) 

E'-r  Ea  ,U  Eb 
J  =  jXU/B 
0  =zOaUOb 

T  =  { ((sA,SB)i'r,{>tA>tB),\p)  |  {sa,sb)  G  S  and  {tA,tB)  G  S  and  p  G  [0,1]  and 
(((*A,  7i  *AiP)‘e  Ta  and  sB  =  tB)  or 
V'  ((sB,7,tB,p)  €  Tb j  and  aA  =  tA)  )} 

If  it, is  not  true  that  Ba  fl  Eb  =  0  then  A||B  is  undefined. 

6.2  The  Composition  of  Projections 

Let,  A  =  {Sa,sQaiEa,Ia,Oa,Ta)  and  B  =  (Sb,s0b,Bb>Jb>Ob,Tb)  be  two  state  machines.  Also 
let  (va,~a)  and  (ufl, «b)  be  projections  of  A  and  B,  respectively.  Provided  that  va  Hub  =  0,  we  define  the 
composite  projection,  denoted  by  {va,~a)  o(vb,~b),  as  the  view  (v,«),  where 


v  —  va  Uub  and 

(y{sA,sB),{tA,iB)  e  S)[(sa,8b)  « {£a,*b)  *=*  sA  «a  *a  and  sB~B  tB] 


If  it  is  not  true  that  vaCwb  —  0  then  the  composite  projection  is  undefined. 

6.3  The  Composability  of  P-Restrictiveness 

Theorem  9:  Let  A  =  (SA, s0a,Ba, Ia> Oa>Ta)  and  B  =  (SB, sOb, Eb, Ib,Ob,Tb)  be  two  state  machines, 
and  (vA, »a)  and  (vb,«b)  be  projections  of  A  and  B,  respectively.  If  A||B  =  ( S,sQ,E,I,OyT )  is  defined, 
and  (vA,  «a)  is  P-restrictive  for  A  and  (vB,  «b)  is  P-restrictive  for  B,  then  (va,«a)  o  (vb,^b)  =  (v,«)  is 
P-restrictive  for  A||B. 


Proof:  Let  (Ai,  Bi)  6  S  and  (AX,BX)  G  S  be  arbitrary  states,  7  G  E*  be  an  arbitrary  event,  and  p  €  (0, 1] 
be  a  nonzero  probability.  We  must  show  that 

(1)  ((A1,Bi),7,(Ai,.Bi),p)  €  T  and  7  Q>  7  and  7  $  v  =*>  <Ai,Bi)  w  {A'X,B'X},  and 

(2)  V(A2,B2)  €  5,  (Ai.Bi)  *  {A2,B2}  =*  P(„,«>  ({ Ai ,  Bi ) ,  7,  { A'x ,  B] ) )  =  P{^>((A2,B2),7,  (Ai,B|)). 


To  show  (1),  let  ((Ai,Bi), 7,  (Ax,Bx),p)  €  T  and  7  Gt> I  and  7  $  v.  By  the  definition  of  T,  we  have  two 
cases: 


Case  1:  (AXij, A[,2p)  €  TA  and  Bx  =  Bx. 

By  the  definition  of  v,  7  ^  v  =£  7  £  va-  Also,  since  7  Gt>/  and  £a  n  Eb  =  0  and  7  €  ££,  it 
must  be  the  case  that  7  9>/a-  And  so,  by  the  P-restrictiveness  of  A,  Aj  «a  A\. 

By  the  reflexivity  of  Bx  ws  BJ  and  therefore,  (Ax> Bx)  «  (A'X,B'X). 
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Case  2:  A\  —  A[.  and B^,2p) <E:Tb- 
This  case  isanalagous  to  Case  1. 

Now  to  show  (2),  let  (.A2,  £2)  be  a  state  such  that  (Ai,Bi)  «  (A2,  B2). 

We  must  show  that  P(v,si)({Ai, Bi),y,  (Ai, B[))  =  P(„t~) ( P2) ,  7,  {A\ ,  B[ )) .  We  will  show  this  in  three 
cases. 

Case  1:  j  £  va- 


P{v,xs){(Ai,  Pi), 7,  (Ai ,  B[))-  ^  P«Ai,B,),7,(Ai.Bi))  [def.  P<„,«)] 


~  H  P(Auf,A'3,) 

[def:  T  and  7;] 

[def.  P{^,^)] 

=  Aj) 

[P-rest.  (?m,«a)] 

~  5  5-/  P(.M,y,A’it) 

[def.  P(^,w^)] 

=  ’  £  PU^.Ba^.Mi.B')) 

(A'^MA^Bi) 

[def.  T  and  p] 

=  P{vM((A2tB2)n,{A1,B[)) 

[def.  ?(„,«)] 

And  so,  Case  1  holds. 

Case  2:  7  G  vb- 

This  case  is  analogous  to  Case  1. 

Case  3:  7  ^  u. 

Piv^dAuB^jj^A'^B'y))  -  ^2  PHAuB^n'M^)) 

■y'GE—v  and 
{A'3,B'2)k{A\,B[) 

[def.  P< »,*>] 
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52  P(Ai,y,A^,)  +  \ 

V  €EA~vA  and 


52  P(BuY,B'a,) 

V  €£»-*»  and 

bjrsb; 


[def.  T  and  p] 


—  +  [def.  ^,5;^)] 

~  2^>i!1'a.S5>i>(-i^2) 7) Ajj  H-  5-P(t)fl,WB>(-®2)7)-®i) 


[P-rest.  {va,^a)  and  <vb,«b}] 


=  5  52  P(M,-r',A'3,);+h  52  P(B2,7',Bi,) 

7*6 Eji-VA  and  7'€Eb— *>B  and 

BjssBj 


[def.  P(VA,*A)  andP(t,B~B>] 

52  P((A3,BJ>,7',(Xi,B'»  [def:  r  and  p] 

VeB-u  and. 

<*a.Bj)*<*,,B!> 


[def.  J?(VlW>] 


And  so,  Case  3  holds  and  the  theorem  is  proved.  Q 
7.  Conclusions  and  Future  Work 

We  have  shown  with  examples  that  small  systems  that  are  restrictive  (and  that  may  appear  to  be 
reasonable), can  contain  probabilistic  interference  (i.e.,  probabilistic  covert  channels).  Furthermore,  it  is  clear 
that  with  larger  systems  that  are. shown  to.be  restrictive,  probabilistic  covert  channels  may  exist  that  are 
subtle  and  difficult  to  detect.  Our  extension  to  McCullough’s  work  provides  a  security  policy  that,  when 
applied  to  a  system,  guarantees  that  the  system  will  contain  no  probabilistic  interference. 

Additionally,  the  main  example  of  this  report  showed  how  nondeterminism  can  be  used  to  prevent 
denial  of  service,  and  that  useful,  nondeterministic  systems  caii  be  shown  to  be  P-restrictive.  Of  course,  the 
introduction  of  nondeterminism  to  prevent  denial  of  service,  as  in  our  example,  adversely  impacts  overall 
system  performance.  A  tradeoff  must  be  made  between  prevention  of  denial  of  service  and  system  perfor¬ 
mance. 

To  apply  P-restrictiveness  in  the  development  of  secure  systems,  an  implementation  language  that 
supports  thl  specification  of  probabilities  is  needed.  The  compiler  and  target  machine  for  this  implementation 
language  must  accurately  implement  the  specified  probabilities,  so  that  the  actual  system  will  beHve  exactly 
as  in  the  specification,  and  thus  be  P-restrictive.  Therefore,  any  effort  to  apply  P-restrictiveness  must  be  a 
long-term  effort. 

As  discussed  in  the  introduction,  our  plans  for  future  work  are  to  extend  the  present  model  and 
definition  of  security  to  include  timing  considerations,  l'his  will  result  in  a  definition  of  perfect  security. 
Following  that,  it  is  our  intention  to  weaken  our  definition  of  security  to  allow  a  quantifiable  amount  of 
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interference.  Hopefully,  this  will  make  the  definition  mote  usable  (i.e.,  more  systems  will  satisfy  the  definition) 
and  will  allow  system  developers  to  formally  and  precisely  determine  the  rate  at  which  a  system  can  leak 
information.  Furthermore,  such  a  definition  would,  allow  system  designers  to  trade  off  the  security  of  the 
system  with  other  design  goals  such  as  system  performance  and  prevention  of  denial  of  service. 
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